Listen to this Post
Online Stores Face a Dangerous New WordPress Threat
A serious cybersecurity incident is shaking the WooCommerce ecosystem after researchers discovered that attackers are actively exploiting a critical flaw in the popular Funnel Builder plugin developed by FunnelKit. The vulnerability allows hackers to secretly inject malicious JavaScript into checkout pages, turning normal online stores into silent payment card theft operations.
The issue was uncovered by researchers at Sansec, a cybersecurity firm known for monitoring digital skimming attacks targeting eCommerce platforms. According to the researchers, the attack is already happening in the wild, meaning real stores and real customers are currently being affected.
Funnel Builder is widely used in the WordPress ecosystem and is installed on more than 40,000 WooCommerce-powered stores. The plugin helps merchants optimize checkout flows, upsells, and sales funnels. Unfortunately, its popularity also made it an attractive target for cybercriminals.
Attackers Quietly Inject Fake Tracking Scripts
Researchers found that hackers are abusing the plugin’s “External Scripts” feature to inject malicious code disguised as legitimate analytics tools such as Google Tag Manager or Google Analytics.
At first glance, the injected script appears harmless. Store owners checking their settings may assume the code belongs to standard tracking or marketing tools already used by their websites. In reality, the malicious script silently loads a hidden payment skimmer from an attacker-controlled server.
This skimmer is specifically designed to steal highly sensitive customer information during checkout transactions. The stolen data includes:
Credit card numbers
CVV security codes
Billing addresses
Payment details
Customer identity information
Because the attack runs directly inside the checkout process, victims often have no indication their information has been compromised.
Vulnerability Allows Unauthenticated Access
The most alarming part of the discovery is how easy the attack appears to be.
According to Sansec researchers, the vulnerable endpoint inside the plugin failed to properly verify user permissions. This means attackers could send specially crafted requests without authentication and directly modify plugin settings.
The flaw effectively gave outsiders the ability to write attacker-controlled code into global configuration options. Once malicious scripts were inserted into the “External Scripts” field, the code automatically loaded on every checkout page powered by Funnel Builder.
That transformed infected stores into large-scale card harvesting operations.
Researchers explained that attackers did not need administrator credentials to exploit the weakness. The missing permission checks created an open door for remote abuse.
Malware Communicates With Remote Servers
The attack chain becomes even more dangerous after the initial compromise.
Sansec discovered that the fake analytics script downloads a second-stage payload from an external malicious domain. The malware then establishes a WebSocket connection with a command-and-control infrastructure using the suspicious domain:
wss://protect-wss[.]com/ws
This communication channel allows attackers to remotely manage the skimming operation and potentially update the malicious payload in real time.
The use of WebSocket connections also helps attackers maintain stealth and persistent communication with infected stores.
Instead of deploying noisy malware that immediately crashes websites or reveals itself, the attackers focused on remaining invisible while continuously harvesting financial data.
Why This Attack Is Particularly Dangerous
Digital skimming attacks have become one of the most profitable cybercrime methods in recent years. Unlike ransomware attacks that announce themselves loudly, payment skimmers operate silently in the background for weeks or even months.
That makes this FunnelKit incident especially concerning.
Customers visiting infected stores continue shopping normally while their payment information is quietly intercepted during checkout. Merchants may remain unaware until banks, customers, or security researchers identify fraudulent transactions linked to their stores.
The attackers also used a clever disguise technique.
By pretending to be trusted analytics or tag management scripts, the malware blends into the normal environment of modern eCommerce websites. Most online stores already use multiple third-party scripts for advertising, analytics, heatmaps, conversion tracking, and customer behavior monitoring.
As a result, a malicious script hidden among legitimate tags can easily escape detection.
FunnelKit Releases Emergency Patch
After the vulnerability became public, FunnelKit urged all customers to immediately update the Funnel Builder plugin to version 3.15.0.3.
The patch introduces proper permission validation and restricts unauthorized access to sensitive methods within the plugin.
Security experts strongly recommend that affected website owners do more than simply update the plugin. A patch stops future exploitation, but it does not automatically remove existing malware from already compromised stores.
Store administrators are being advised to:
Inspect the “External Scripts” settings for suspicious entries
Remove unknown JavaScript snippets
Scan websites for backdoors and hidden malware
Review server logs for unusual activity
Monitor payment systems for fraud indicators
Rotate administrator credentials if compromise is suspected
Sansec also released indicators of compromise to help defenders identify infected systems.
WooCommerce Remains a Prime Target for Cybercriminals
The incident highlights a larger problem inside the WordPress and WooCommerce ecosystem.
Because WordPress powers a massive percentage of global websites, attackers constantly search for vulnerable plugins that can provide access to large numbers of online stores. Plugins handling checkout processes, payment flows, or customer tracking are especially attractive because they interact directly with financial data.
Many merchants install dozens of plugins without continuously monitoring their security status. Some store owners delay updates due to compatibility concerns or fear of breaking their checkout systems.
Cybercriminals know this and often target outdated plugins that remain exposed long after patches are released.
The FunnelKit attack follows a broader trend where attackers exploit third-party extensions rather than attacking WooCommerce core directly.
The Growing Threat of e-Skimming Operations
This attack is part of a wider category of cybercrime known as Magecart-style skimming.
These operations focus on injecting malicious JavaScript into eCommerce sites to steal payment information in real time. Instead of breaching payment processors directly, attackers compromise websites and intercept data before it reaches secure systems.
The method is effective because it bypasses many traditional fraud detection systems.
Even stores using HTTPS encryption and legitimate payment gateways can still become infected if malicious scripts execute inside the browser.
Over the past few years, skimming campaigns have targeted businesses ranging from small online boutiques to major international retailers.
What Undercode Say:
The FunnelKit incident exposes one of the biggest weaknesses in the modern WordPress ecosystem: trust overload.
Most website owners trust plugins because they come from established developers and have thousands of installations. But popularity does not equal security. In fact, the more widely adopted a plugin becomes, the more attractive it becomes to attackers looking for scalable exploitation opportunities.
What makes this breach especially dangerous is not only the vulnerability itself, but the psychology behind the attack. The malicious scripts were disguised as normal analytics tools because attackers understand how overwhelmed administrators already are. Modern websites are filled with scripts from ad networks, tracking systems, optimization platforms, CRMs, and chat widgets. Few store owners can realistically audit every line of JavaScript running on their checkout pages.
This attack also shows how cybercrime is becoming increasingly stealth-oriented. Years ago, hackers often defaced websites or destroyed data for attention. Today’s attackers behave more like silent financial parasites. They want persistence, invisibility, and recurring profit.
The use of WebSocket communication is another important detail that should not be ignored. It suggests the attackers wanted dynamic control over infected stores instead of relying on static malware. That means campaigns like this can rapidly evolve after deployment.
Another concerning issue is the rise of unauthenticated vulnerabilities in WordPress plugins. These flaws are extremely valuable because they remove the need for stolen credentials. A single vulnerable endpoint can expose thousands of stores simultaneously.
The WordPress plugin economy itself contributes to the problem. Developers race to add features quickly because competition is intense. Marketing automation, upsells, analytics, AI integrations, conversion tools, and dynamic checkouts are all becoming standard expectations. Security testing sometimes struggles to keep up with feature expansion.
Small businesses are often the biggest victims. Large enterprises usually have dedicated security teams, continuous monitoring systems, and incident response processes. Smaller WooCommerce stores often rely on shared hosting, outdated plugins, and minimal technical oversight.
There is also a hidden financial impact beyond stolen cards. Stores compromised by skimmers can face chargebacks, reputation damage, SEO blacklisting, legal liabilities, and loss of customer trust. Some small businesses never fully recover after public payment breaches.
Another critical lesson here is that updating software alone is no longer enough. Modern website defense requires continuous monitoring. Attackers increasingly compromise websites before patches are applied, meaning cleanup becomes just as important as updating.
The disguise strategy used in this campaign reflects a broader cybersecurity trend where attackers hide malicious infrastructure behind ordinary web technologies. Fake analytics scripts, fake CAPTCHA systems, fake browser updates, and fake CDN assets are now common techniques.
One overlooked aspect is how difficult skimmers are to detect from the customer side. Unlike phishing attacks, users do not receive suspicious emails or warnings. They simply enter payment information into what appears to be a legitimate checkout page.
This creates a dangerous trust gap in online commerce.
The incident also reinforces why supply chain security matters. A single plugin vulnerability can indirectly affect thousands of businesses and potentially hundreds of thousands of customers.
For WordPress developers, this case is another reminder that permission validation should never be treated as optional. Missing authorization checks remain one of the most devastating classes of web application vulnerabilities.
From a broader industry perspective, the eCommerce world is entering an era where attackers prioritize invisible monetization over destruction. Quiet theft generates less attention, fewer investigations, and longer operational windows for criminals.
Security researchers like Sansec are becoming increasingly important because many infections would otherwise remain undiscovered for extended periods.
This attack may also push more merchants toward managed commerce platforms where infrastructure security is handled centrally. Self-hosted flexibility remains powerful, but it also transfers significant security responsibility onto store owners.
Ultimately, the FunnelKit breach is not just another plugin vulnerability story. It represents the growing industrialization of browser-based financial theft across the internet.
Fact Checker Results
✅ The Funnel Builder vulnerability and active exploitation were publicly reported by Sansec.
✅ FunnelKit officially released version 3.15.0.3 to address the security flaw.
❌ No evidence currently suggests WooCommerce core itself was compromised directly in this attack.
Prediction
🔮 WordPress eCommerce plugins handling payments and analytics will face heavier security scrutiny over the next year.
🔮 Browser-based skimming attacks will become more sophisticated, with malware increasingly disguised as trusted third-party services.
🔮 Online merchants will likely adopt stricter plugin auditing and real-time monitoring solutions after incidents like this continue to rise.
▶️ Related Video (82% Match):
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
