A critical security flaw in the Funnel Builder plugin for WordPress is being actively exploited by hackers to inject malicious JavaScript into WooCommerce checkout pages and steal customer payment details.
The vulnerability does not yet have an official tracking ID and can be exploited without authentication. It affects all versions of the Funnel Builder plugin before version 3.15.0.3.
Funnel Builder, developed by FunnelKit, is a popular WooCommerce checkout plugin used to customize checkout pages, create landing pages, add one-click upsells, and improve online store conversion rates. According to WordPress.org statistics, the plugin is active on more than 40,000 websites.
E-commerce security firm Sansec detected the attacks and found that the malicious payload was being disguised as a fake Google Tag Manager or Google Analytics script. The script, hosted at analytics-reports[.]com/wss/jquery-lib.js, opens a WebSocket connection to an external attacker-controlled server at wss://protect-wss[.]com/ws.
Attackers can exploit the flaw by modifying the plugin’s global settings through an unprotected public checkout endpoint. This allows them to insert arbitrary JavaScript into the plugin’s “External Scripts” setting, making the malicious code run on every checkout page.
According to Sansec, the attacker-controlled server delivers a customized payment card skimmer designed to steal credit card numbers, CVVs, billing addresses, and other customer information entered during checkout.
Payment card skimmers are commonly used by cybercriminals to collect financial details that can later be used for fraudulent online purchases. Stolen card data is also often sold on dark web carding markets, either individually or in bulk.
FunnelKit fixed the vulnerability in Funnel Builder version 3.15.0.3, which was released yesterday. A vendor advisory seen by Sansec confirmed the malicious activity, saying the company had identified an issue that allowed bad actors to inject scripts.
Website owners and administrators using Funnel Builder are advised to update the plugin immediately from the WordPress dashboard. FunnelKit also recommends checking Settings > Checkout > External Scripts to make sure no suspicious or unauthorized scripts were added by attackers.





