Funnel Builder WordPress plugin bug exploited to steal credit cards Home News Security Funnel Builder WordPress plugin bug exploited to steal credit cards Bill Toulas May 15, 2026 03:30 PM A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript snippets into WooCommerce checkout pages. The flaw has not received an official identifier and can be leveraged without authentication.
It affects all versions of the plugin before 3.15.0.3. Funnel Builder is a WordPress plugin for WooCommerce Checkout developed by FunnelKit, primarily used to customize checkout pages, with features like one-click upsells, landing pages, and to optimize conversion rates. Based on statistics from WordPress.org, the Funnel Builder plugin is active on more than 40,000 websites . E-commerce security company Sansec detected the malicious activity and noticed that the payload (analytics-reports[.]com/wss/jquery-lib.js) is disguised as a fake Google Tag Manager/Google Analytics script that opens a WebSocket connection to an external location (wss://protect-wss[.]com/ws).
An attacker can exploit it to modify the plugin’s global settings via an unprotected, publicly exposed checkout endpoint. This allows them to inject arbitrary JavaScript into the plugin’s “External Scripts” setting, causing malicious code to execute on every checkout page. According to Sansec, the attacker-controlled server delivers a customized payment card skimmer that steals the following information: Credit card numbers CVVs Billing addresses Other customer information Payment card skimmers enable threat actors to make fraudulent online purchases, while stolen records often end up sold individually or in bulk on dark web portals known as carding markets.
FunnelKit addressed the vulnerability in version 3.15.0.3 of Funnel Builder, released yesterday. A security advisory from the vendor, seen by Sansec, confirms the malicious activity, saying “we identified an issue that allowed bad actors to inject scripts.” The vendor recommends that website owners and administrators prioritize updating to the latest version from the WordPress dashboard and also review Settings > Checkout > External Scripts for potential rogue scripts the attacker may have added.
The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. Download Now Avada Builder WordPress plugin flaws allow site credential theft Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin Popular WordPress redirect plugin hid dormant backdoor for years Hackers exploit file upload bug in Breeze Cache WordPress plugin WordPress plugin suite hacked to push malware to thousands of sites Funnel Builder FunnelKit Payment card Plugin Skimmer WooCommerce WordPress Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Upcoming Webinar Popular Stories Windows BitLocker zero-day gives access to protected drives, PoC released Dell confirms its SupportAssist software causes Windows BSOD crashes OpenAI confirms security breach in TanStack supply chain attack Sponsor Posts Overdue a password health-check?
Audit your Active Directory for free Are stolen sessions bypassing your security? Find out for free. https://www.nmftacyber.com/ 12 steps to defend against AI-powered exploits before the Glasswing report drops Login Username Password Remember Me Sign in anonymously Sign in with Twitter Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT