A critical Funnel Builder vulnerability is exposing WooCommerce stores to active payment card theft. Attackers are exploiting the flaw to inject malicious JavaScript into checkout pages, where it can steal customer payment details during purchases.
The issue affects Funnel Builder versions before 3.15.0.3. FunnelKit has already released a security update, so store owners should patch the plugin immediately and review their checkout pages for suspicious scripts.
Attackers Used the Bug to Add Skimmers
Security researchers found that attackers used an exposed checkout endpoint to modify Funnel Builder’s global settings. That access allowed them to place malicious code inside the plugin’s External Scripts setting.
Once injected, the script ran on WooCommerce checkout pages. It disguised itself as an analytics-related script, which made the activity harder to spot during a quick review.
The skimmer targeted sensitive customer data, including credit card numbers, CVV codes, billing addresses, and other checkout details.
Why This Attack Is Dangerous
The Funnel Builder vulnerability is especially serious because attackers do not need a logged-in account to exploit it. That makes unpatched stores easier to target at scale.
WooCommerce checkout pages are also high-value targets. A successful skimmer can collect payment data directly as customers enter it, which creates risks for shoppers and business owners alike.
For affected stores, the damage may extend beyond the initial theft. Owners may face customer complaints, fraud reports, payment provider scrutiny, and reputation loss after a compromise.
FunnelKit Released a Patch
FunnelKit fixed the issue in Funnel Builder version 3.15.0.3. Website owners using older versions should update immediately.
Administrators should also inspect the External Scripts setting and remove anything unfamiliar. They should scan checkout pages, review recent plugin changes, and check logs for suspicious activity around the time of the attack.
Stores that may have been compromised should also contact their payment processor and consider warning affected customers.
Conclusion
The Funnel Builder vulnerability shows how quickly attackers can turn a WordPress plugin bug into a direct payment theft campaign. By targeting WooCommerce checkout pages, they placed customer card data at immediate risk.
Store owners should update Funnel Builder to version 3.15.0.3 or newer now. They should also review checkout scripts carefully, since patching the plugin will not always remove injected malicious code.
0 responses to “Funnel Builder Vulnerability Exposes WooCommerce Checkouts”