A critical Cross-Site Scripting (XSS) vulnerability has been discovered in the WordPress Drag & Drop Sales Funnel Builder for WordPress – WPFunnels plugin, raising concerns over WordPress security and the potential for malware issues. The responsible disclosure and reporting by LEE SE HYOUNG (hackintoanetwork) shed light on the severity of this security flaw, which allows malicious actors to inject harmful scripts into websites. When unsuspecting visitors access these compromised sites, the injected scripts execute, leading to various malicious outcomes, including redirection to harmful websites, unauthorized advertisements, and the theft of sensitive information. The implications of this vulnerability are significant, emphasizing the need for immediate action to safeguard WordPress websites.

The XSS vulnerability in the WPFunnels plugin enables malicious actors to inject arbitrary code into the website’s output, posing severe risks to overall website security.


The vulnerability has been assigned a high severity level, with a CVSS 3.1 score of 7.5. This score underscores the ease of exploitability and its considerable impact on website security.

Affected Versions:

All versions of the WPFunnels plugin released before version 2.7.17 are susceptible to this exploit, leaving websites using older versions vulnerable to potential attacks.


By exploiting this vulnerability, malicious actors can inject harmful scripts into WordPress websites. When visitors access these compromised sites, the injected scripts execute, potentially leading to harmful consequences, including:

  1. Redirection to malicious websites, compromising visitors’ safety.
  2. Unauthorized injection of advertisements, disrupts the user experience.
  3. Theft of sensitive information from unsuspecting visitors, endangering their privacy.


To ensure robust WordPress security and protect against potential attacks, users of the WPFunnels plugin are strongly advised to take immediate action. Upgrading to version 2.7.17 is imperative, as this release contains vital fixes to address the XSS vulnerability and bolster overall plugin security. Timely updates are critical in safeguarding WordPress websites and minimizing the risk of unauthorized access and malicious script injections.

WordPress security is a shared responsibility, and staying proactive in updating plugins and adopting best security practices are essential to maintaining a secure WordPress environment. By promptly addressing vulnerabilities like this XSS flaw in the WPFunnels plugin, website owners can protect their websites and visitors from potential harm and ensure a safe browsing experience for all users.