Critical alert: failure at Funnel Builder exposes WooCommerce payments to skimmers

A critical bug in the Funnel Builder (FunnelKit) plugin for WordPress, used to customize WooCommerce payment pages, is being exploited freely to insert malicious JavaScript fragments into the checkout and thus steal customer payment data. Vulnerability allows, without authentication, to modify the overall plugin configuration through a publicly exposed checkout endpoint, which turns any store that uses versions prior to 3.15.0.3 into a target for card skimmers.

Public metrics indicate that Funnel Builder is active in tens of thousands of sites, so the risk is wide: an attacker can inject code into the "External Scripts" adjustment of the plugin and get an external script loaded on all payment pages. According to the technical analysis published by Sansec, attackers distribute a file that passes through Google Tag Manager / Google Analytics and opens a WebSocket connection to download and run a custom skimmer that collects card numbers, CVV, billing addresses and other buyer data. For technical details and samples of the analysis, see Sansec's original report at https: / / sansec.io / research / funnelkit-woocommerce-violability-exploited.

If you run a WooCommerce store, you must assume that it may have been compromised if you used the Channel Builder before 3.15.0.3.. The first immediate step is to update the plugin from the WordPress panel to the corrected version (3.15.0.3 or above). The official plugin page in the WordPress repository contains version information and allows you to check active facilities: https: / / wordpress.org / plugins / funnel-builder /. Do not postpone this update: automated exploits are often spread quickly once vulnerability is made public.

Updating alone is not enough if the attacker already had time to insert malicious scripts. Check the Settings > Checkout > External Scripts section of the plugin for unauthorized entries and remove any foreign URL or code. In addition, it inspects database files and options for recent changes in plugin settings and checkout hooks; skimmers often leave traces in adjustment inputs or in custom options.

You must also take risk for customer data: inform compliance officers (e.g. the payment gateway provider and PCI compliance equipment if applicable), prepare a statement for affected customers if exfiltration is confirmed and consider forcing the rotation of payment-related keys or credentials. It monitors transactions and fraud patterns and, if you detect fraudulent charges, coordinates the response with the gateway and card issuers.

On the technical level, it activates records and analysis of outgoing traffic to identify applications to suspicious domains (e.g. domains similar to analytics-reports [.] com or WebSocket connections to external hosts such as protect-wss [.] com mentioned in the reports). It implements time rules in the WAF to block the load of scripts from unauthorized external sources and applies integrity controls in the files and the database to detect reincidences. If you don't have the internal capacity, hire an incident response team with e- commerce experience.

This incident is a reminder that plugins that manipulate the payment flow are a critical vector: the security of a store depends not only on the WordPress core but on each extension that has permissions on the checkout. Keep an inventory of plugins, apply updates quickly, limit administrative privileges and auditory configurations that allow external scripts to run. For best security practices in payments and compliance, see the PCI DSS guidelines at https: / / www.pcisecuritystandards.org / and hardening resources of WordPress and WooCommerce platforms published by specialized security providers.

If you need practical help to audit an affected facility or to design a mediation and communication plan, consider contacting incident response specialists and skimmers cleaning providers that offer forensic traffic analysis and safe recovery of e-commerce environments.