Skip to main content
Emerging ThreatsMalware & Ransomware

Funnel Builder Flaw Exploited for WooCommerce Checkout Skimming

Retail checkout counter with a WooCommerce point-of-sale terminal in the foreground and blurred store shelves in the…

"Attackers are planting fake Google Tag Manager scripts into the plugin's 'External Scripts' setting," Sansec said.

What Sansec reported about active exploitation

Security firm Sansec this week disclosed active exploitation of a critical vulnerability in the Funnel Builder plugin for WordPress that allows attackers to inject malicious JavaScript into WooCommerce checkout pages. The flaw affects all versions of the plugin before 3.15.0.3 and the plugin is used in more than 40,000 WooCommerce stores, Sansec said. The issue does not currently have an official CVE identifier.

How the Funnel Builder flaw operates

According to Sansec, Funnel Builder exposes a publicly reachable checkout endpoint that permits an incoming request to select which internal method to run. In older versions, the plugin failed to verify the caller's permissions or restrict which methods could be invoked. An unauthenticated request can therefore reach an internal method that writes attacker-controlled data directly into the plugin's global settings. The added snippet is subsequently injected into every Funnel Builder checkout page.

The practical effect is simple and dangerous: an attacker can add a malicious <script> tag that is executed on every checkout transaction on a vulnerable site, giving the attacker a reliable way to harvest information entered at checkout.

Observed payload behavior and command-and-control

Sansec observed at least one payload that impersonated a Google Tag Manager loader and then pulled JavaScript from a remote domain. That remote code opens a WebSocket to an attacker-controlled command-and-control server at "wss://protect-wss[.]com/ws" to retrieve a skimmer tailored to the victim's storefront. The skimmer's objective, Sansec said, is to siphon credit card numbers, CVVs, billing addresses, and other personal information entered during checkout.

Sansec noted the technique of disguising skimmers as analytics or tag-manager snippets follows a recurring Magecart pattern: "Dressing skimmers up as Google Analytics or Tag Manager code is a recurring Magecart pattern, since reviewers tend to skim straight past anything that looks like a familiar tracking tag," the company said.

FunnelKit's patch and recommended remediation for site owners

FunnelKit, the maintainer of Funnel Builder, has released a patched version addressing the vulnerability: version 3.15.0.3. Sansec and the reporting advisories recommend that site owners update the Funnel Builder plugin to the latest version and inspect the plugin setting found at Settings > Checkout > External Scripts for any unfamiliar entries, removing anything suspicious.

  • Upgrade Funnel Builder to version 3.15.0.3 or later.
  • Review Settings > Checkout > External Scripts for unknown or suspicious code and remove it.

How site owners, security teams, and customers should respond

Site owners running Funnel Builder on WooCommerce stores should prioritize the plugin upgrade and a manual check of external scripts; the exploit requires no authentication and writes into global settings, meaning infections can persist until the injected snippet is removed. Security teams monitoring e-commerce telemetry should hunt for unexpected script loaders that mimic tag-manager or analytics code and investigate WebSocket connections to unknown domains such as the observed "wss://protect-wss[.]com/ws".

Customers and visitors who enter payment data on compromised checkout pages are the intended victims: their credit card numbers, CVVs, billing addresses, and other personal information are at risk of being exfiltrated by the injected skimmer.

Related incidents and broader patterns

The disclosure follows a separate analysis by Sucuri, published weeks earlier, describing a campaign that backdoored Joomla sites with heavily obfuscated PHP code to contact attacker-controlled C2 servers, accept remote instructions, and serve spammy content without the owner’s knowledge. Sucuri researcher Puja Srivastava described that campaign as a remote-loading approach: "The script acts as a remote loader," Srivastava said. "It contacts an external server, sends information about the infected website, and waits for instructions."

Both disclosures highlight a recurring tactic: attackers implant lightweight loaders that reach out to remote infrastructure to fetch more complex payloads and dynamically change the compromised site's behavior without further local file changes.

For owners of affected stores, the immediate, concrete steps are clear: install Funnel Builder 3.15.0.3 or later and comb through the plugin's External Scripts setting to remove any scripts you did not add. The longer-term question—how to stop malicious loaders from passing as familiar analytics tags and slipping past human review—remains a technical and operational challenge for e-commerce platforms and defenders.

Original reporting: https://thehackernews.com/2026/05/funnel-builder-flaw-under-active.html