Funnel Builder WordPress Plugin Bug Exploited to Steal Credit Cards

The discovery of an unauthenticated JavaScript injection flaw in Funnel Builder highlights a broader risk for WordPress‑based e‑commerce platforms. Because the plugin integrates directly with WooCommerce checkout, any compromised site can serve a custom skimmer that captures full payment details. Attackers disguise the payload as a familiar analytics script, increasing the likelihood that site owners overlook the malicious code. This technique mirrors other supply‑chain attacks where trusted plugins become vectors for large‑scale data theft.

For merchants, the financial impact extends beyond immediate fraud losses. Stolen card data often appears on dark‑web carding markets, leading to chargebacks, fines, and reputational damage. Moreover, regulators such as PCI DSS and state privacy laws may hold businesses accountable for inadequate security controls, potentially resulting in costly compliance penalties. The rapid exploitation underscores the importance of continuous vulnerability monitoring, especially for plugins that handle sensitive checkout flows.

FunnelKit’s response—releasing version 3.15.0.3 and issuing a clear remediation guide—demonstrates best‑practice incident handling. Site administrators should prioritize the update, verify the "External Scripts" setting for rogue entries, and consider implementing a Web Application Firewall to block unexpected script loads. Regular plugin audits and a zero‑trust approach to third‑party code can mitigate similar threats, safeguarding both merchant revenue and consumer trust.