A critical bug in the Funnel Builder (FunnelKit) plugin for WordPress is being exploited in real environments to inject malicious JavaScript into WooCommerce's payment pages and steal card and billing data, according to the analysis published this week by the Sansec security firm. The defect affects all versions prior to 3.15.0.3 and its operation allows non-authenticated actors to add arbitrary code that runs on each checkout, which makes any vulnerable store a direct target for paid skimmers.
The technique described by the researchers takes advantage of a public endpoint oriented to the checkout which, in old versions, did not verify permits or limit what internal methods could be invoked. By an unauthenticated request an attacker can force the attacker's controlled data writing into the plugin's global settings and thus insert script tags into the option that Funnel Builder uses to "External Scripts". In the incidents observed the payload passes through a Google Tag Manager / Analytics and ends up loading a remote loader that opens a WebSocket connection to the command and control server to download a specific skimmer for the compromised store.
The practical consequence is serious: the malicious code runs in the payment flow and can capture card numbers, CVV, billing addresses and other sensitive data that customers enter into the checkout form. This is not only a direct fraud, but a risk of sanctions for PCI non-compliance and a reputational damage that can last.
FunnelKit has already published a patch in the version 3.15.0.3. If you manage a WooCommerce store you must update immediate and priority that plugin to the parched version. In addition to the update, it is appropriate to check the Settings > Checkout > External Scripts setting and remove any unknown or suspicious script. Sansec and other response teams point out that skimmers are often camouflaged as legitimate tracking labels, so it is easy to ignore risk during surface audits.
In addition to updating and reviewing the configuration, there are practical measures that reduce impact and help remediation. Undertake a full site scan with confidence security solutions or external services to detect malicious loads and back doors; check the database - for example, looking for wp _ options values containing labels < script > o unknown domains -; inspect the checkout output from the browser and network tools to detect WebSocket connections or calls to suspicious external domains; and re-establish administrative passwords and API keys if you find signs of engagement.
If you already suspect that there was data exfiltration, document the temporary window of the possible commitment, keep logs, contact your payment provider and value reporting the incident according to applicable legal obligations. To reduce the likelihood of future intrusions it is recommended to limit the installed plugins to the strictly necessary ones, maintain automatic updates where it is safe to apply them, and strengthen the web with a WAF and a continuous monitoring system that detects changes in file integrity and in the HTML output of the checkout.
This case fits into a broader trend: recent campaigns have shown how attackers insert dynamic payload and remote drivers in CMS and stores to change the behavior of committed sites without permanently touching local files, a technique that Sucuri and other firms have documented in contexts such as campaigns against Joomla and other ecosystems. The tactic of disguising skimmers as Google Tag Manager or Google Analytics is recurrent and effective for its ability to pass unnoticed.
To read the technical analysis and the original indications consult the specialized safety sources; Sansec's research provides technical details on the operation, and incident response reports such as Sucuri's help to understand similar patterns in other CMS. Sansec and Sucuri are good starting points for operational information and recommendations. If you need general instructions on how to keep WordPress and its plugins up to date, official WordPress documentation is also useful: WordPress plugin management.
Practical summary: update Funnel Builder to version 3.15.0.3 or higher, review and clean the External Scripts option in Checkout, scan and investigate commitment indicators (unusual scripts, WebSocket connections to unknown domains, suspicious wp _ options entries), break sensitive credentials and coordinate with your payment processor if there are exfiltration signals. Prevention and early detection are the best defense against this type of skimmers directed to online stores.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...