An unpatched security flaw in the Funnel Builder plugin for WordPress has been actively exploited, allowing threat actors to inject malicious JavaScript code into WooCommerce checkout pages and steal payment card data from thousands of online stores worldwide.
- Vulnerability in Funnel Builder plugin actively exploited on WooCommerce checkout pages
- Injected JavaScript skimmers steal payment card information across over 40,000 sites
- Site operators urged to update plugin and audit external script settings immediately
Threat signal
A critical flaw in the Funnel Builder WordPress plugin grants attackers the ability to inject arbitrary JavaScript into WooCommerce checkout interfaces. This injection happens through an unprotected endpoint that allows modification of the plugin’s external scripts globally, enabling persistent malicious code execution on every purchase page. The covert payload mimics legitimate analytics tools but instead establishes WebSocket connections to attacker-controlled servers for data exfiltration.
This threat represents a sophisticated software supply-chain risk as it exploits trusted plugin functionality designed to enhance conversion rates and customize checkout flows. Given the plugin’s wide installation base exceeding 40,000 active sites, the scope of affected e-commerce businesses is substantial, spanning diverse sectors worldwide. The active exploitation demonstrates the pressing need for continuous monitoring of third-party software components in digital commerce environments.
Operator exposure
E-commerce operators using the Funnel Builder plugin face direct exposure to payment card theft without requiring any user authentication or complex intrusion steps. The injected skimming scripts harvest credit card details during the checkout process, which can lead to immediate financial fraud or long-term reputation damage due to compromised customer data. This intrusion undermines trust in online storefronts and can have regulatory compliance implications related to payment data security standards such as PCI DSS.
Because the vulnerability permits attackers to alter key plugin configuration remotely, operators must consider not only patching the software but also reviewing plugin settings, especially the 'External Scripts' field, for remnants of malicious code. Failure to identify and remove injected scripts after patching could prolong breach impact and data leakage. This scenario illustrates the operational challenge of fast detection and remediation in environments where web plugins integrate deeply with business-critical processes.
What teams should watch
Security and DevOps teams should prioritize immediate upgrade to Funnel Builder version 3.15.0.3 or later, which addresses this vulnerability. Alongside patching, teams need to audit affected websites’ checkout configuration for unauthorized external scripts that could still be injecting malicious code. Monitoring WebSocket connections originating from checkout pages and reviewing network traffic for unusual endpoints related to payment data exfiltration can aid early detection of ongoing compromise.
Broader vigilance around third-party plugin updates and integrity checks must be integrated into organizational risk processes. Given the plugin’s role in customizing checkout flows, security teams should validate that no unauthorized configuration changes exist post-update. Applying proactive, continuous security validation for software supply-chain components helps reduce exposure to similar injection risks and enforces compliance with payment security mandates.