[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYfVojQFEYz-wP5XXWzOFhpfd4oaTn1hmt3jtF0RmwPg":3},{"article":4,"iocs":50},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"e3135cd4-131f-496b-9fb5-af0474d7922b","Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming","funnel-builder-flaw-under-active-exploitation-enables-woocommerce-checkout-skimm-2458d5","A critical security vulnerability impacting the Funnel Builder plugin for WordPress has come under active exploitation in the wild to inject malicious JavaScript code into WooCommerce checkout pages with the goal of stealing payment data. Details of the activity were published by Sansec this week. The vulnerability currently does not have an official CVE identifier. It","A critical, unauthenticated vulnerability in the Funnel Builder WordPress plugin (affecting 40,000+ WooCommerce stores) is being actively exploited to inject malicious JavaScript into checkout pages and steal payment data. Attackers inject fake Google Tag Manager scripts that harvest credit card numbers, CVVs, and billing addresses. FunnelKit has released patch version 3.15.0.3; site owners should update immediately and review the External Scripts settings for suspicious code.","Funnel Builder WordPress plugin vulnerability under active exploitation for WooCommerce checkout skimming attacks.","Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming Ravie LakshmananMay 16, 2026Vulnerability \u002F Website Security A critical security vulnerability impacting the Funnel Builder plugin for WordPress has come under active exploitation in the wild to inject malicious JavaScript code into WooCommerce checkout pages with the goal of stealing payment data. Details of the activity were published by Sansec this week. The vulnerability currently does not have an official CVE identifier. It affects all versions of the plugin before 3.15.0.3. It's used in more than 40,000 WooCommerce stores. The flaw lets unauthenticated attackers inject arbitrary JavaScript into every checkout page on the store, the Dutch e-commerce security company said. FunnelKit, which maintains Funnel Builder, has released a patch for the vulnerability in version 3.15.0.3. \"Attackers are planting fake Google Tag Manager scripts into the plugin's 'External Scripts' setting,\" it noted. \"The injected code looks like ordinary analytics next to the store's real tags, but loads a payment skimmer that steals credit card numbers, CVVs, and billing addresses from checkout.\" Per Sansec, Funnel Builder includes a publicly exposed checkout endpoint that allows an incoming request to choose the type of internal method to run. However, older versions were designed such that they never checked the caller's permissions or limited which methods are allowed to be invoked. A bad actor could exploit this loophole by issuing an unauthenticated request that can reach an unspecified internal method that writes attacker-controlled data directly into the plugin's global settings. The added code snippet is then injected into every Funnel Builder checkout page. As a result, an attacker could plant a malicious \u003Cscript> tag that's triggered on every checkout transaction in a susceptible WordPress site. In at least one case, Sansec said it observed a payload masquerading as a Google Tag Manager (GTM) loader to launch JavaScript hosted on a remote domain. It subsequently opens a WebSocket connection to the attacker's command-and-control (C2) server (\"wss:\u002F\u002Fprotect-wss[.]com\u002Fws\") to retrieve a skimmer that's tailored to the victim's storefront. The end goal of the attack is to siphon credit card numbers, CVVs, billing addresses, and other personal information that could be entered by site visitors at checkout. Site owners are advised to update the Funnel Builder plugin to the latest version and review Settings > Checkout > External Scripts for anything that's unfamiliar and remove it. \"Dressing skimmers up as Google Analytics or Tag Manager code is a recurring Magecart pattern , since reviewers tend to skim straight past anything that looks like a familiar tracking tag,\" Sansec said. The disclosure comes weeks after Sucuri detailed a campaign in which Joomla websites are being backdoored with heavily obfuscated PHP code to contact attacker-controlled C2 servers, receive and process instructions sent by the operators, and serve spammy content to visitors and search engines without the site owner's knowledge. The ultimate aim is to leverage the sites' reputation for injecting spam. \"The script acts as a remote loader,\" security researcher Puja Srivastava said . \"It contacts an external server, sends information about the infected website, and waits for instructions. The response from the remote server determines what content the infected site should serve.\" \"This approach allows attackers to change the behavior of the compromised website at any time without modifying the local files again. The attacker can inject spam product links, redirect visitors, or display malicious pages dynamically.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, data breach, E-commerce Security, JavaScript, Magecart, Skimming, Vulnerability, WooCommerce, WordPress ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Ffunnel-builder-flaw-under-active.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEgYS8AhChFEeH6IwT4x1eB5VAeGfriF4VVcwINAxXVIGyap3g0CKx0R2BdI4s99cE3Q5JHr-KUVHqdhAFNfQIrCTJ6p-vq7u5naMTwb-WFjgis4vBdR29M94wAT-Dqh46zsbo4heSJOVdFRxXzR3SgHt2ZoTPPBEbB3cu4azACiFFl7jcIGNxw1d_U7eVU9\u002Fs1600\u002Ffunnel.png","2026-05-16T15:20:48+00:00","2026-05-16T18:00:24.330791+00:00",9,[18,21,24,26,28,31],{"name":19,"type":20},"Funnel Builder","product",{"name":22,"type":23},"FunnelKit","vendor",{"name":25,"type":20},"WooCommerce",{"name":27,"type":20},"WordPress",{"name":29,"type":30},"Magecart","campaign",{"name":32,"type":33},"Google Tag Manager (GTM)","technology","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":34,"icon":36,"name":37,"slug":38},null,"Vulnerabilities","vulnerabilities",[40,45],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",[51,55],{"type":52,"value":53,"context":54},"domain","protect-wss.com","C2 server hosting WebSocket connection for payment skimmer payload delivery",{"type":56,"value":57,"context":58},"malware","Magecart payment skimmer","JavaScript-based payment data harvesting tool masquerading as Google Tag Manager"]