Skip to main content
Emerging ThreatsMalware & Ransomware

Funnel Builder Plugin Exploited to Inject Credit Card Skimmers

Retail checkout counter with payment terminal and WooCommerce logo, laptop screen blurred with loading animation, hinting…

Funnel Builder is active on more than 40,000 websites — and a flaw in the plugin has been weaponized to harvest payment data directly from WooCommerce checkout pages.

How the Funnel Builder flaw is exploited

Security researchers at Sansec reported that an unpatched, unauthenticated vulnerability in the Funnel Builder plugin for WordPress can be abused to modify the plugin’s global settings through a publicly exposed checkout endpoint. The flaw affects all versions of the plugin before 3.15.0.3 and “has not received an official identifier,” according to the published notice. By changing the plugin’s configuration, an attacker can insert arbitrary JavaScript into the plugin’s “External Scripts” setting so that the malicious code executes on every checkout page controlled by the plugin.

The analytics-reports[.]com payload and the WebSocket connection

Sansec observed the active malicious payload delivered as analytics-reports[.]com/wss/jquery-lib.js, a script disguised to mimic Google Tag Manager or Google Analytics. That script opens a persistent WebSocket to an external host at wss://protect-wss[.]com/ws. The combination—an injected script and an outbound WebSocket—gives the attacker a real-time channel to collect and exfiltrate checkout data as customers complete transactions.

What the skimmer steals

According to Sansec’s analysis, the attacker-controlled server supplies a customized payment card skimmer that captures credit card numbers, CVVs, billing addresses, and other customer information entered on checkout pages. The published advisory notes that payment card skimmers like these enable fraudulent online purchases and that stolen records frequently appear for sale, “individually or in bulk on dark web portals known as carding markets.”

FunnelKit’s patch and remediation guidance

FunnelKit addressed the vulnerability in Funnel Builder with the release of version 3.15.0.3, which was published yesterday. A security advisory from the vendor, seen by Sansec, confirms the exploitation and states: “we identified an issue that allowed bad actors to inject scripts.” The vendor’s recommended actions for website owners and administrators are to prioritize updating to the latest version from the WordPress dashboard and to review Settings > Checkout > External Scripts for any rogue scripts the attacker may have added.

What this means for technologists and security teams, merchants, and shoppers

  • Technologists and security teams should treat any Funnel Builder instance running a version prior to 3.15.0.3 as compromised until proven otherwise, update immediately, and scan checkout pages for the analytics-reports[.]com/wss/jquery-lib.js artifact and unexpected WebSocket connections to wss://protect-wss[.]com/ws.
  • Merchants and procurement leads who deploy Funnel Builder or manage third-party agencies must confirm plugins are upgraded via the WordPress dashboard and review Settings > Checkout > External Scripts for injected code added prior to the patch.
  • Shoppers and customers whose payment details were entered on sites using Funnel Builder before the patch should assume their card data may have been exposed and follow standard recovery steps with their card issuer if they notice unauthorized activity; the vendor advisory makes clear scripts were used to steal card numbers, CVVs, billing addresses, and other customer information.

The vulnerability’s combination of unauthenticated access, a configuration-level write primitive against a widely deployed plugin, and an injected script that masquerades as analytics software underscores a simple reality: checkout pages are high-value attack surfaces. Operators running Funnel Builder should update to version 3.15.0.3 and inspect External Scripts immediately; the vendor confirmed the issue and provided a path to remediate. For further detail, the original Sansec-backed report and vendor advisory are available at the source below.

https://www.bleepingcomputer.com/news/security/funnel-builder-wordpress-plugin-bug-exploited-to-steal-credit-cards/