- Hackers are exploiting a critical flaw in the Funnel Builder WordPress plugin.
- Attackers are injecting credit card skimmers into WooCommerce checkout pages.
- FunnelKit released a patch in version 3.15.0.3, but many sites remain unpatched.
- Stolen card data is being sold online and used for wider cybercrime campaigns.
A newly discovered security flaw in the popular Funnel Builder WordPress plugin is putting thousands of ecommerce websites at risk, with attackers already using the vulnerability to inject credit card skimmers into checkout pages.
Security researchers at Sansec uncovered the campaign after noticing malicious JavaScript code being silently inserted into WooCommerce payment pages. The injected scripts are designed to steal sensitive customer data including credit card numbers, CVV codes, billing addresses, names, and other checkout information during transactions.
The vulnerability affects Funnel Builder, a widely used WordPress plugin developed by FunnelKit. The plugin is popular among online businesses because it helps create customized sales funnels, optimized checkout pages, upsell campaigns, and lead generation systems without requiring coding knowledge. According to current estimates, the plugin is active on more than 40,000 ecommerce websites.
What makes this incident particularly concerning is that the flaw can reportedly be exploited without authentication. That means attackers do not need admin credentials or privileged access to compromise a website. They can simply target vulnerable versions of the plugin and inject malicious code remotely.
Credit Card Skimmers Hidden Inside Checkout Pages
The attack closely resembles classic Magecart style campaigns where cybercriminals compromise ecommerce websites and hide payment stealing scripts inside legitimate checkout forms.
Once a customer enters payment details during checkout, the malicious code captures the information and sends it to attacker controlled servers before the payment is even processed. Victims often remain unaware until fraudulent charges appear on their bank statements days or weeks later.
Researchers say the stolen data gives criminals everything they need to commit online payment fraud. In many cases, however, attackers prefer to sell the stolen card details on underground marketplaces and dark web forums where cybercriminals buy fresh payment data in bulk.
Security experts also warn that stolen payment cards are frequently used to fund other cybercrime operations. Fraudsters often use compromised cards to purchase advertisements on legitimate ad platforms, helping them spread malware, phishing pages, infostealers, and ransomware campaigns at scale.
That creates a dangerous cycle where one compromised ecommerce site can indirectly contribute to much larger cyberattacks affecting businesses and consumers worldwide.
Thousands of WordPress Sites Still Vulnerable
FunnelKit has already released a patched version of the plugin to address the issue. Users are being strongly urged to update to Funnel Builder version 3.15.0.3 immediately to close the security gap.
Despite the availability of a fix, a large number of websites still appear to be running outdated versions.
At the time of reporting, official WordPress statistics suggested that more than half of active installations were still using older vulnerable builds. Roughly 50.3% of users had not yet moved to version 3.15, leaving at least 20,000 websites potentially exposed to attack.
The actual number could be significantly higher because not every site running version 3.15 has necessarily installed the latest patched release.
Security researchers warn that attackers are actively scanning the internet for vulnerable WordPress websites, meaning unpatched stores may already be compromised without their owners realizing it.
Why Ecommerce Businesses Need to Act Fast
For online retailers, the consequences of a payment skimming attack can be severe. Beyond financial losses, businesses risk reputational damage, customer distrust, legal complications, and possible penalties related to data protection regulations.
Experts recommend that website owners immediately update the Funnel Builder plugin, review checkout pages for unauthorized JavaScript, monitor server logs for suspicious activity, and rotate administrative credentials as a precaution.
Store owners should also monitor payment processor alerts and watch for unusual spikes in failed transactions or customer complaints related to fraudulent card activity.
The incident is another reminder of how third party plugins continue to be one of the biggest security risks in the WordPress ecosystem. Even widely trusted and professionally maintained plugins can become attractive targets for cybercriminals once vulnerabilities are discovered.
With ecommerce attacks becoming more sophisticated, security researchers say rapid patching and continuous monitoring are no longer optional for online businesses handling customer payments.
Follow TechBSB For More Updates
