WooCommerce Checkout Skimming Attack Exploits Unpatched Funnel Builder Vulnerability

Breaking: Active Exploitation Targets WooCommerce Payment Data via WordPress Plugin Flaw

A critical security vulnerability in the Funnel Builder plugin for WordPress is being actively exploited in the wild. Attackers are injecting malicious JavaScript code into WooCommerce checkout pages to steal sensitive payment information.

The exploit allows cybercriminals to intercept credit card details, billing addresses, and other payment data as customers complete purchases. The flaw currently lacks an official CVE identifier, leaving many site owners unaware of the threat.

Details of the Attack

Security firm Sansec published a detailed report on the activity this week. According to their analysis, the injection occurs via a vulnerable parameter in the Funnel Builder plugin, which then loads a remote script from an attacker-controlled server.

“This is a classic skimming attack, but it leverages a legitimate plugin vulnerability rather than direct server compromise,” said a Sansec researcher. “The malicious JavaScript is designed to be stealthy and only activates on WooCommerce checkout pages.”

Background

Funnel Builder is a popular WordPress plugin used to create sales funnels, landing pages, and checkout flows. It integrates deeply with WooCommerce, the leading e-commerce platform for WordPress. Because the plugin handles payment processes, any vulnerability can directly impact financial data security.

The flaw appears to affect all versions of Funnel Builder prior to the latest patch. However, the vendor has not yet released a security update, leaving thousands of online stores exposed. The vulnerability is being exploited without requiring authentication, making it particularly dangerous.

What This Means

For store owners using WooCommerce with Funnel Builder, this is an urgent threat. Even if you are not directly aware of a breach, your checkout pages may already be compromised. Attackers can silently skim payment data without altering normal site behavior.

“Site administrators should immediately disable the Funnel Builder plugin if they are unable to apply a patch,” advised a security consultant not affiliated with Sansec. “Additionally, review recent DNS and network logs for suspicious outbound connections, especially to unknown domains.”

Customers who have made purchases on affected sites should monitor their bank statements for unauthorized transactions and consider contacting their card issuer. The risk of data theft is highest for transactions processed in the last few weeks since the active exploitation began.

Recommended Actions

• Disable Funnel Builder until a patched version is available.
• Scan your website for injected JavaScript – look for scripts loaded from unfamiliar URLs.
• Check Sansec’s report for indicators of compromise (IOCs).
• Notify affected customers and coordinate with payment processors.

Security experts emphasize that this is a zero-day-like situation due to the lack of a CVE and official patch. All WooCommerce store owners using Funnel Builder should treat this as a critical incident. Learn more about the vulnerability in the Background section. For immediate steps, see the What This Means section.