WordPress Funnel Builder Bug Exposes 40K Sites to Card Theft
Critical flaw in Funnel Builder plugin lets attackers inject malicious scripts, affecting thousands of WooCommerce sites.
A critical vulnerability in the popular Funnel Builder plugin for WordPress has put over 40,000 websites at risk, enabling attackers to steal sensitive credit card information. This flaw, affecting all versions of the plugin prior to 3.15.0.3, has been actively exploited by malicious actors who inject harmful JavaScript into WooCommerce checkout pages.
The Vulnerability
Security firm Sansec uncovered this alarming issue, revealing that the exploit allows attackers to modify the plugin’s global settings through an unsecured, publicly accessible endpoint. This enables the insertion of arbitrary JavaScript into the plugin’s 'External Scripts' setting, leading to the execution of malicious code on checkout pages.
The malicious code masquerades as a legitimate Google Tag Manager or Google Analytics script, which then opens a WebSocket connection to a rogue server. This server distributes a customized payment card skimmer, stealing critical data such as credit card numbers, CVVs, billing addresses, and other customer information.
FunnelKit's Response
FunnelKit, the developer behind the Funnel Builder plugin, has responded quickly by releasing an updated version 3.15.0.3 to address this security gap. The company has confirmed the malicious activity and urges users to update their plugins immediately through the WordPress dashboard. Additionally, administrators are advised to scrutinize their settings for any unauthorized scripts that may have been added by attackers.
This incident highlights the necessity for regular updates and vigilant monitoring of site plugins, especially those handling financial transactions.
Context
The European e-commerce market is particularly vulnerable to such threats given its reliance on WordPress plugins like Funnel Builder to enhance conversion rates. This incident echoes past vulnerabilities in e-commerce platforms that have led to significant financial losses and data breaches. With GDPR in place, European businesses face additional pressure to maintain stringent data protection standards.
What this means for you
If you're a website owner or administrator using the Funnel Builder plugin, it's imperative to update to the latest version immediately. This update not only patches the vulnerability but also helps prevent potential financial and reputational damage. Ensure to review your site settings for any suspicious scripts to mitigate further risks.
What's still unclear
While FunnelKit has patched the vulnerability, questions remain about the extent of the data breach and how many users have been affected. Additionally, it’s uncertain how many websites have yet to implement the necessary updates to protect themselves.
Why this matters
Security flaws in widely-used plugins like Funnel Builder pose significant risks to online businesses and their customers. This vulnerability underlines the importance of regular software updates and vigilant security practices to safeguard sensitive data. As the digital landscape evolves, so too must our efforts to protect it from emerging threats.
Discuss this story
Got a take, a correction, or a follow-up tip? Reply where you read — we read everything.
Found an error? File a correction at /corrections. Substantive corrections are logged publicly.
One short email. The most important Security news, fact-checked, no fluff. Free, unsubscribe anytime.
More from Security
Apple's Rare Third macOS RC: Unpacking Security Concerns
Byte-Pulse explores the implications of Apple's unusual third Release Candidate for macOS updates, examining the severity of unannounced security fixes and their impact on European users
Google’s Legal Battle Against AI-Driven Cybercrime: Examining Outsider Enterprise
Google's lawsuit against Outsider Enterprise exposes differences in victim counts and sheds light on AI's role in cybercrime.
iOS 26.5 Update Addresses Over 50 Security Vulnerabilities—Update Now
Apple's iOS 26.5 fixes over 50 security flaws. Update your iPhone now to stay secure.
Malware Disguised as OpenAI Found on Hugging Face
A fake OpenAI repo on Hugging Face pushed malware disguised as AI tools, targeting Windows users with info-stealing tactics.
The Byte-Pulse Newsroom is the editorial system that produces Byte-Pulse's daily tech news coverage. Each story is cross-referenced across 3+ independent outlets, drafted with AI assistance by the newsroom system (Drafter → Editor → Fact-Checker → Polisher), and reviewed by Serhat Er, Editor-in-Chief, before publication. We disclose AI augmentation openly. Editorial accountability stays with the named editor on every article. Tips: editorial@byte-pulse.net.
Don’t miss these
Nothing Phone (4b): A Mid-Range Ambition in a Crowded European Market
Nothing's Phone (4b) merges familiar aesthetics with mid-range specs, raising questions about its European market strategy and true competitive edge.
MacBook Ultra vs. MacBook Pro: Key Differences Analyzed
Apple is set to launch two high-end MacBooks this fall: the MacBook Ultra and the new MacBook Pro. Here's a detailed comparison.
Sony's Innovative Marketing Strategy for GTA 6: A New Era for Game Promotions
Sony's aggressive marketing for GTA 6 marks a departure from its typical strategies, signaling a new era for game promotions.
Tesla Model 3 vs Polestar 2: Choosing Your Next EV Wisely
A balanced breakdown of Tesla Model 3 and Polestar 2. Compare specs, performance, design, and more to find the right EV for you.
AI Chatbots Duel for 2026 World Cup Champion Prediction
Can artificial intelligence really predict the beautiful game? We put the leading AI chatbots to the test, feeding them the same prompts for the 2026 World Cup. Here's who came out on top, and how they got there.
Apple's Price Increases: A Closer Look at Strategy and Consumer Impact
Apple's raised prices on Macs and iPads, but iPhones, Apple Watches, and AirPods remain unchanged. What does this mean for consumers?