Active exploitation of unauthenticated JavaScript injection flaw in Funnel Builder WordPress plugin leading to payment skimming

First reported

15.05.2026 22:30

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A critical unauthenticated vulnerability in the Funnel Builder WordPress plugin (all versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. The flaw allows attackers to modify plugin settings via an exposed checkout endpoint, enabling arbitrary JavaScript execution on checkout pages. This results in the deployment of a payment card skimmer that collects credit card numbers, CVVs, billing addresses, and other customer data.

Timeline

15.05.2026 22:30 1 articles · 1h ago

Unauthenticated code injection vulnerability in Funnel Builder plugin exploited to deploy payment card skimmers
Active exploitation of an unauthenticated vulnerability in the Funnel Builder WordPress plugin (versions < 3.15.0.3) observed, allowing arbitrary JavaScript injection into WooCommerce checkout pages via an exposed endpoint. Attackers modify the plugin’s "External Scripts" setting to inject a fake analytics script that establishes a WebSocket connection to a malicious server, delivering a payment skimmer that captures credit card details, CVVs, and billing addresses. FunnelKit issued patched version 3.15.0.3 and advises immediate updates and a review of plugin settings for unauthorized scripts.
Show sources

Funnel Builder WordPress plugin bug exploited to steal credit cards — www.bleepingcomputer.com — 15.05.2026 22:30
Open in new tab

Information Snippets

The vulnerability affects all versions of the Funnel Builder plugin prior to 3.15.0.3, enabling unauthenticated attackers to inject malicious JavaScript into checkout pages.
First reported: 15.05.2026 22:30

1 source, 1 article
Show sources
- Funnel Builder WordPress plugin bug exploited to steal credit cards — www.bleepingcomputer.com — 15.05.2026 22:30
Exploitation leverages an unprotected, publicly accessible checkout endpoint to modify the plugin’s "External Scripts" setting, allowing arbitrary code injection.
First reported: 15.05.2026 22:30

1 source, 1 article
Show sources
- Funnel Builder WordPress plugin bug exploited to steal credit cards — www.bleepingcomputer.com — 15.05.2026 22:30
The injected payload is disguised as a fake Google Tag Manager/Google Analytics script (analytics-reports[.]com/wss/jquery-lib.js), which establishes a WebSocket connection to wss://protect-wss[.]com/ws.
First reported: 15.05.2026 22:30

1 source, 1 article
Show sources
- Funnel Builder WordPress plugin bug exploited to steal credit cards — www.bleepingcomputer.com — 15.05.2026 22:30
The skimmer collects credit card numbers, CVVs, billing addresses, and other customer information, enabling fraudulent transactions or resale in carding markets.
First reported: 15.05.2026 22:30

1 source, 1 article
Show sources
- Funnel Builder WordPress plugin bug exploited to steal credit cards — www.bleepingcomputer.com — 15.05.2026 22:30
FunnelKit released a patched version (3.15.0.3) to address the vulnerability and urges administrators to update immediately and review "External Scripts" for unauthorized entries.
First reported: 15.05.2026 22:30

1 source, 1 article
Show sources
- Funnel Builder WordPress plugin bug exploited to steal credit cards — www.bleepingcomputer.com — 15.05.2026 22:30
The plugin is active on over 40,000 WordPress websites, based on WordPress.org statistics.
First reported: 15.05.2026 22:30

1 source, 1 article
Show sources
- Funnel Builder WordPress plugin bug exploited to steal credit cards — www.bleepingcomputer.com — 15.05.2026 22:30

Summary

Timeline

Unauthenticated code injection vulnerability in Funnel Builder plugin exploited to deploy payment card skimmers

Information Snippets