Funnel Builder WordPress Plugin Exploited for Card Theft

Funnel Builder Plugin Actively Exploited on 40,000+ Sites

A critical vulnerability in the Funnel Builder WordPress plugin is being actively exploited in the wild. Attackers are injecting malicious JavaScript into WooCommerce checkout pages to steal payment card data directly from shoppers. The Funnel Builder plugin flaw requires no authentication to exploit, making it trivially accessible to anyone who finds the exposed endpoint. All versions before 3.15.0.3 are affected.

The plugin, developed by FunnelKit, is installed on more than 40,000 WordPress sites. It handles checkout customization, one-click upsells, and conversion optimization. That makes it a high-value target. Compromising one widely-used checkout plugin means you potentially have access to payment data across tens of thousands of storefronts.

No CVE has been assigned yet at time of writing.

How the Attack Works: Exposed Endpoint to Script Injection

The root of the problem is an unprotected, publicly exposed checkout endpoint that allows modification of the plugin's global settings without any authentication check. An attacker sends a crafted request to this endpoint and writes arbitrary JavaScript into the plugin's "External Scripts" configuration field.

Once written, that script executes on every checkout page the plugin renders.

E-commerce security firm Sansec caught the active exploitation and identified the payload being delivered: a file hosted at analytics-reports[.]com/wss/jquery-lib.js. It's disguised as a Google Tag Manager or Google Analytics script, which helps it blend into normal page traffic. Under the hood, it opens a WebSocket connection to wss://protect-wss[.]com/ws, a remote attacker-controlled server that delivers a customized payment card skimmer.

The skimmer collects:

• Credit card numbers
• CVV codes
• Billing addresses
• Other customer-entered checkout data

That data is exfiltrated in real time back to the attacker's infrastructure.

What's at Risk for Developers and Store Owners

The damage here extends well beyond a single transaction. Stolen card data gets sold individually or in bulk on dark web carding markets, enabling fraudulent purchases long after the initial breach. If your store was running a vulnerable version of Funnel Builder during the window of active exploitation, you need to assume customer data may have been compromised.

From a liability standpoint, a payment card skimmer on your checkout page likely puts you in violation of PCI DSS requirements. Card brands and payment processors do not look favorably on incidents like this. Beyond fines, chargebacks and reputational damage can follow quickly.

Developers maintaining WooCommerce stores on behalf of clients should treat this as an active incident response situation, not a routine patch cycle.

How to Fix and Harden Against This Vulnerability

FunnelKit released version 3.15.0.3 on May 15, 2026, which patches the vulnerability. The fix is the immediate priority. Update now from your WordPress dashboard.

After updating, do this:

1. Navigate to Settings > Checkout > External Scripts in your Funnel Builder configuration.
2. Audit every entry. Remove anything you didn't explicitly add.
3. Check your site's overall JavaScript inventory for unfamiliar third-party script tags.
4. Review recent server logs for unusual POST requests to checkout endpoints.
5. Run an external scan of your checkout pages to detect injected scripts. You can scan your site here.

If you find rogue scripts, treat it as a confirmed breach. Notify affected customers, contact your payment processor, and document the timeline.

Longer term, consider automated scanning as part of your deployment process. Tools that perform dynamic checks on exposed endpoints can surface misconfigurations like this before attackers do. See our guide to WooCommerce security testing for more detail on building that into your pipeline.

How do I know if my site was already compromised? Check Settings > Checkout > External Scripts for scripts you didn't add. Also inspect your site's rendered checkout page source for unexpected WebSocket connections or unfamiliar JavaScript URLs, particularly anything referencing analytics-reports[.]com or protect-wss[.]com.

Does updating to 3.15.0.3 remove injected scripts automatically? No. The update patches the vulnerable endpoint, but any scripts already injected into your settings remain. You must manually review and remove them after updating.

Is this exploitable on sites that don't take live payments yet? If the plugin is active and the checkout pages are publicly accessible, the endpoint is exploitable regardless of whether real transactions are processed. Staging environments with the plugin enabled are also at risk if they're reachable from the internet.

Run a free scan of your WordPress checkout pages for injected scripts and exposed endpoints at VibeWShield