Critical WordPress Funnel Builder Flaw Enables E‑Skimmer Injection into WooCommerce Checkout Pages
What Happened – A critical unauthenticated vulnerability in the Funnel Builder plugin for WordPress (by FunnelKit) allows attackers to write arbitrary JavaScript into the plugin’s “External Scripts” setting. The malicious script is rendered on every WooCommerce checkout page, acting as a payment skimmer that harvests credit‑card numbers, CVVs, and billing addresses.
Why It Matters for TPRM –
- The flaw can be weaponised across any of the ~40,000 WooCommerce stores that run Funnel Builder, creating a massive supply‑chain exposure.
- Stolen payment data can trigger PCI‑DSS violations, fraud liability, and brand‑reputation damage for both merchants and their payment‑service partners.
- The attack bypasses traditional endpoint protection because the malicious code is delivered via a trusted WordPress plugin.
Who Is Affected – Retail & e‑commerce merchants using WooCommerce with the Funnel Builder plugin; third‑party payment processors and fraud‑prevention services integrated with those stores.
Recommended Actions –
- Update Funnel Builder to v3.15.0.3 or later immediately.
- Audit the “External Scripts” configuration for unknown
<script>tags and remove any suspicious entries. - Deploy a Web Application Firewall rule to block unauthorized script injections on checkout URLs.
- Conduct a post‑compromise review of payment logs for anomalous card‑data transmissions.
- Verify PCI‑DSS compliance and consider tokenisation or hosted‑payment gateways to reduce exposure.
Technical Notes – The vulnerable endpoint fails to enforce permission checks, allowing any unauthenticated request to modify global plugin settings. The injected code masquerades as a Google Tag Manager/Analytics script, then loads a second‑stage loader from an attacker‑controlled domain and opens a WebSocket to a C2 server (wss://protect-wss.]com/ws). No public CVE has been assigned yet. Source: [Security Affairs