Critical Funnel Builder WordPress Plugin Vulnerability Exploited in Payment Card Skimming Attacks
A severe, unpatched vulnerability in the Funnel Builder WordPress plugin used by over 40,000 websites to customize WooCommerce checkout pages is being actively exploited to inject malicious JavaScript into e-commerce sites. The flaw, which requires no authentication, affects all versions of the plugin prior to 3.15.0.3.
Security firm Sansec discovered the attacks, where threat actors exploit an unprotected checkout endpoint to modify the plugin’s global settings. This allows them to insert arbitrary code into the "External Scripts" field, executing malicious payloads on every checkout page. The injected script disguised as a fake Google Tag Manager/Analytics file (analytics-reports[.]com/wss/jquery-lib.js) establishes a WebSocket connection to an attacker-controlled server (wss://protect-wss[.]com/ws).
The payload delivers a customized payment card skimmer, harvesting sensitive customer data, including:
- Credit card numbers
- CVVs
- Billing addresses
Stolen payment details are typically used for fraudulent transactions or sold on dark web carding markets. FunnelKit, the plugin’s developer, released a patch (version 3.15.0.3) on June 10, 2024, acknowledging the issue in a security advisory and urging users to update immediately. The vendor also advised administrators to review the Settings > Checkout > External Scripts section for unauthorized entries.
FunnelKit TPRM report: https://www.rankiteo.com/company/funnelkit-com
WooCommerce websites using Funnel Builder plugin TPRM report: https://www.rankiteo.com/company/getwpfunnels
"id": "funget1778876719",
"linkid": "funnelkit-com, getwpfunnels",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '40,000+ websites',
'industry': 'WordPress Plugin Development',
'name': 'FunnelKit (formerly WooFunnels)',
'type': 'Software Vendor'},
{'industry': 'Various (WooCommerce users)',
'type': 'E-commerce websites'}],
'attack_vector': 'Exploitation of unpatched WordPress plugin vulnerability '
'(unauthenticated endpoint)',
'customer_advisories': 'FunnelKit urged users to update immediately and '
'review plugin settings for unauthorized entries.',
'data_breach': {'data_exfiltration': 'Yes (via WebSocket connection to '
'attacker-controlled server)',
'personally_identifiable_information': 'Yes (billing '
'addresses, payment '
'details)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Payment card data (credit card '
'numbers, CVVs, billing '
'addresses)'},
'date_publicly_disclosed': '2024-06-10',
'description': 'A severe, unpatched vulnerability in the Funnel Builder '
'WordPress plugin used by over 40,000 websites to customize '
'WooCommerce checkout pages is being actively exploited to '
'inject malicious JavaScript into e-commerce sites. The flaw, '
'which requires no authentication, affects all versions of the '
'plugin prior to 3.15.0.3. Threat actors exploit an '
'unprotected checkout endpoint to modify the plugin’s global '
"settings, inserting arbitrary code into the 'External "
"Scripts' field. The injected script, disguised as a fake "
'Google Tag Manager/Analytics file, establishes a WebSocket '
'connection to an attacker-controlled server and delivers a '
'customized payment card skimmer, harvesting sensitive '
'customer data.',
'impact': {'data_compromised': 'Credit card numbers, CVVs, billing addresses',
'identity_theft_risk': 'High',
'operational_impact': 'Malicious JavaScript injection into '
'checkout pages',
'payment_information_risk': 'High',
'systems_affected': 'WordPress websites using Funnel Builder '
'plugin (versions prior to 3.15.0.3)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (payment card '
'data)'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain (fraudulent transactions, dark web carding '
'markets)',
'post_incident_analysis': {'corrective_actions': 'Patch released, security '
'advisory issued, '
'recommendations for '
'auditing plugin settings',
'root_causes': 'Unpatched vulnerability in Funnel '
'Builder plugin (unprotected '
'checkout endpoint)'},
'recommendations': 'Update the Funnel Builder plugin to version 3.15.0.3 or '
"later, audit 'External Scripts' settings for unauthorized "
'entries, monitor checkout pages for malicious JavaScript, '
'and implement additional security measures for payment '
'processing.',
'references': [{'source': 'Sansec'},
{'source': 'FunnelKit Security Advisory'}],
'response': {'communication_strategy': 'Security advisory issued by FunnelKit',
'containment_measures': 'Patch released (version 3.15.0.3)',
'remediation_measures': 'Update to patched version (3.15.0.3), '
"review 'Settings > Checkout > External "
"Scripts' for unauthorized entries",
'third_party_assistance': 'Sansec (security firm)'},
'title': 'Critical Funnel Builder WordPress Plugin Vulnerability Exploited in '
'Payment Card Skimming Attacks',
'type': 'Payment Card Skimming',
'vulnerability_exploited': 'Unprotected checkout endpoint in Funnel Builder '
'WordPress plugin (versions prior to 3.15.0.3)'}