VYPR
breachPublished May 15, 2026· Updated May 17, 2026· 2 sources

Funnel Builder Plugin Vulnerability Exploited for WooCommerce Payment Skimming

A critical, unauthenticated vulnerability in the Funnel Builder WordPress plugin is being actively exploited to inject payment skimmers into WooCommerce checkout pages, affecting over 40,000 websites.

A critical, unauthenticated vulnerability in the Funnel Builder plugin for WordPress is currently being exploited in the wild to facilitate payment card skimming. The flaw, which affects all versions of the plugin prior to 3.15.0.3, allows attackers to inject malicious JavaScript directly into WooCommerce checkout pages, compromising the sensitive data of customers across more than 40,000 active installations The Hacker News BleepingComputer.

The vulnerability stems from a publicly exposed checkout endpoint within the plugin that fails to perform necessary permission checks or restrict the internal methods available to callers. By sending an unauthenticated request to this endpoint, an attacker can trigger an internal function that writes arbitrary data into the plugin's global settings The Hacker News. Specifically, attackers are using this access to modify the "External Scripts" configuration, injecting malicious code that executes whenever a customer visits a checkout page BleepingComputer.

Once the malicious script is injected, it is often disguised as a legitimate Google Tag Manager or Google Analytics snippet to evade detection by site administrators The Hacker News. This script acts as a remote loader, establishing a WebSocket connection to an attacker-controlled command-and-control (C2) server—identified in some instances as wss://protect-wss[.]com/ws—to retrieve a tailored payment skimmer The Hacker News BleepingComputer. The skimmer is designed to capture credit card numbers, CVVs, billing addresses, and other personal information entered by users during the checkout process BleepingComputer.

FunnelKit, the developer of the Funnel Builder plugin, addressed the security gap in version 3.15.0.3, which was released on May 14, 2026 BleepingComputer. The vendor has confirmed the existence of the vulnerability and the ongoing malicious activity, urging all administrators to update their installations immediately BleepingComputer. In addition to patching, site owners are strongly advised to manually inspect their "Settings > Checkout > External Scripts" configuration to identify and remove any unauthorized or suspicious scripts that may have been injected by attackers The Hacker News BleepingComputer.

The use of "masquerading" scripts—where malicious code is hidden within familiar-looking analytics tags—reflects a persistent trend in Magecart-style attacks, where attackers rely on the fact that site maintainers often overlook standard tracking tags during security audits The Hacker News. This incident underscores the ongoing risk to e-commerce platforms, where attackers continuously seek to exploit plugin vulnerabilities to turn trusted storefronts into data-harvesting operations. As these campaigns evolve, the ability to dynamically inject and update malicious payloads via remote loaders remains a significant challenge for website security.

Synthesized by Vypr AI