FunnelKit Vulnerability: 40,000+ WooCommerce Sites Need Attention Now
There's a critical security flaw in FunnelKit — a popular WooCommerce plugin — and if your online shop uses it, a stranger could potentially access parts of your site they have no business touching. This was flagged publicly and is being actively discussed in security circles as of May 2026.
What Is the FunnelKit Vulnerability?
FunnelKit (also known as WooFunnels) is a plugin used by more than 40,000 WooCommerce stores to build sales funnels — think checkout pages, upsells, and automated email sequences. It's a heavy hitter. A lot of shops that sell things online rely on it.
According to reporting cited by GBHackers, a critical vulnerability has been identified in the plugin that puts those 40,000-plus sites at risk. The flaw is described as an authentication bypass issue — which, in plain English, means someone could skip past the login or permission checks your site is supposed to enforce. That's not a minor bug. That's a front door left unlocked.
We could not confirm the exact version number affected or the precise patch version from the source material available. No official documentation from FunnelKit's team was accessible at the time of writing.
Honestly, that's a bit thin for a vulnerability of this scale. But the headline fact — 40,000+ WooCommerce sites exposed — is consistent across multiple security outlets reporting this week.
What's Still Unclear
Are you actually affected right now? That depends on which version of FunnelKit you're running.
The source material doesn't confirm whether a patch has already been released and pushed automatically, or whether you need to update manually. It also doesn't confirm whether this vulnerability is being actively exploited in the wild — meaning whether hackers are already using it — or whether it's theoretical at this stage. We could not verify either of those details from the sources provided.
What we do know is that authentication bypass flaws — where someone skips your site's login process entirely — are among the most serious class of WordPress plugin problems. They don't require a hacker to guess your password. They sidestep it.
What to Do Right Now
Go to your WordPress dashboard. Click Plugins in the left menu. Find FunnelKit (it may appear as "FunnelKit – Funnel Builder for WordPress & WooCommerce"). If there's an update available, install it immediately. Don't wait until Monday.
If you manage client sites, check every WooCommerce store in your portfolio. Not just the ones you built recently — older sites often run outdated plugins because nobody thought to check.
Three things worth doing today:
- Update FunnelKit to the latest available version
- Check your WordPress admin users — look for any accounts you don't recognise
- Review recent orders on affected WooCommerce stores for anything suspicious
If you're not sure whether your clients' sites are running FunnelKit, search your plugin folders or ask your hosting provider for a plugin audit. Some managed WordPress hosts can do this across multiple sites at once.
One more thing worth saying plainly: if your site went down or started behaving oddly recently and you're running FunnelKit, that's not a coincidence you should ignore.
Can Uptrue Detect This?
Uptrue won't catch a plugin vulnerability before it's exploited — no monitoring tool can. But here's what it will catch: the symptoms. If a compromised site starts returning errors, goes offline, or slows to a crawl after something goes wrong, Uptrue alerts you immediately. Most site owners find out their site was hacked when a client calls in a panic. Monitoring means you find out first, at 3am, before anyone else does.
You can check whether your site is responding normally right now using the Uptrue tracker. Takes about ten seconds.
FAQ
What is FunnelKit and do I need it? FunnelKit is a WordPress plugin for WooCommerce that builds sales funnels — checkout flows, upsell pages, and email automations. If you run an online shop and use advanced checkout features, you may have it installed.
What does an authentication bypass vulnerability actually mean? It means an attacker can get into restricted parts of your site without needing a username or password. The plugin fails to properly check whether someone has permission before letting them in.
How do I know if my site is affected by the FunnelKit vulnerability? Log into your WordPress dashboard, go to Plugins, and look for FunnelKit or WooFunnels. If it's installed, check the version and update it to the latest available version immediately.
Has FunnelKit released a fix yet? We could not confirm a specific patched version number from the available sources at the time of writing on 19 May 2026. Check the plugin's update page in your dashboard and the official WordPress plugin repository for the latest release.
Will my hosting provider fix this automatically? Most shared and managed WordPress hosts do not auto-update plugins on your behalf. You are responsible for keeping your plugins current unless you have a managed service that explicitly handles this.