10 Critical Facts About the Funnel Builder WooCommerce Checkout Skimming Threat

In a concerning development for WordPress site owners, a critical security flaw in the popular Funnel Builder plugin is being actively exploited by attackers. This vulnerability allows malicious JavaScript code to be injected into WooCommerce checkout pages, effectively skimming payment data from unsuspecting customers. Security firm Sansec recently published details of the ongoing attacks, but as of now, the flaw lacks an official CVE identifier. Below are the ten essential things you need to know about this threat.

1. What Is the Funnel Builder Plugin?

Funnel Builder is a widely used WordPress plugin designed to create sales funnels, landing pages, and checkout experiences for WooCommerce stores. It offers advanced features like upsells, downsells, and order bumps, making it a favorite among e-commerce merchants. However, its popularity also makes it a prime target for cybercriminals. The plugin is maintained by a third-party developer and is installed on thousands of sites, amplifying the potential impact of any security issue. Understanding its role in the WooCommerce ecosystem helps contextualize why a vulnerability in Funnel Builder can lead to devastating data breaches.

2. Nature of the Vulnerability: Malicious JavaScript Injection

The flaw is a client-side security vulnerability that enables attackers to inject arbitrary JavaScript code into the checkout page of any WooCommerce store using the plugin. This type of attack is often referred to as checkout skimming or formjacking. The injected script runs in the user's browser and can intercept sensitive data—such as credit card numbers, expiration dates, CVV codes, and billing addresses—before it is encrypted and sent to the payment gateway. The vulnerability does not require authentication to exploit, making it especially dangerous for site owners who have not applied any available patches.

3. Active Exploitation in the Wild

According to Sansec's report, the vulnerability is currently under active exploitation in the wild. This means that attackers have already developed and deployed exploit code targeting vulnerable sites. The speed of exploitation suggests that cybercriminals are moving quickly to compromise as many stores as possible before site owners patch. Security researchers urge administrators to check their sites immediately for signs of compromise and apply any available updates or mitigations. The active nature of the threat elevates it from a theoretical risk to an immediate, concrete danger for all Funnel Builder users.

4. How the Skimming Attack Works

The attack unfolds in three main steps. First, the attacker identifies a vulnerable Funnel Builder installation. Second, they inject malicious JavaScript into the plugin's output—often via a compromised script that loads on the checkout page. Third, when a customer enters payment details and clicks "Submit," the malicious script captures the data and sends it to a third-party server controlled by the attacker. The legitimate transaction still proceeds, so the customer and store owner may not notice anything unusual. This stealthy method allows attackers to harvest thousands of payment records before detection.

5. Impact on WooCommerce Stores and Customers

The immediate impact is theft of sensitive payment data from customers, which can lead to financial fraud, identity theft, and chargebacks. For store owners, a data breach can result in legal liabilities (e.g., under GDPR or PCI DSS), loss of customer trust, reputational damage, and potential fines. Additionally, if a skimming script is detected by payment processors, the merchant's account may be suspended. The long-term consequences include reduced sales and the high cost of forensic investigation, notification, and remediation. Small businesses are especially vulnerable because they often lack dedicated security teams.

6. Why Is There No CVE Identifier?

At the time of writing, the vulnerability does not have an official CVE identifier. The reason could be that the issue was reported privately or discovered before the disclosure process was complete, or that the plugin developer has not yet requested a CVE. Without a CVE number, the vulnerability may be harder to track in security databases and automated scanners. However, the lack of a CVE does not diminish the severity—attackers have already weaponized the exploit. Security tools and services may rely on other indicators, such as plugin version numbers or signatures of the malicious code, to detect exploitation.

7. Discovery and Reporting by Sansec

The details of the active exploitation were published by Sansec, a security firm specializing in e-commerce threats. Sansec's researchers detected the malicious activities and analyzed the attack vectors. Their report provides technical indicators that site administrators can use to check for compromise—such as specific JavaScript filenames, suspicious server requests, and changes to plugin files. Sansec recommends immediate application of any security patches and suggests that site owners review their WooCommerce and Funnel Builder configurations. The firm continues to monitor the situation and may update its guidance as the attack evolves.

8. Recommended Actions for Site Owners

To protect your site, take the following steps without delay:

• Update the Funnel Builder plugin to the latest version if a patch is available.
• Check for unauthorized changes to plugin files, especially JavaScript and PHP files in the Funnel Builder directory.
• Review WooCommerce checkout page source for any unfamiliar scripts or inline code.
• Enable a Web Application Firewall (WAF) with rules to block known malicious payloads.
• Monitor server logs for outbound connections to suspicious domains.
• Notify your hosting provider and consider restoring from a clean backup if compromise is confirmed.
• Inform affected customers and follow data breach notification laws in your jurisdiction.

9. Signs Your Site May Be Compromised

Look for these red flags: unexpected changes to checkout pages, slow page loads on payment forms, customer complaints about failed transactions or duplicate charges, and unfamiliar JavaScript files in your site’s assets. A free tool like Why No Padlock? can help scan for mixed content issues that might indicate injected scripts. Additionally, use the browser's developer tools to inspect network requests; any obfuscated code sending data to unknown endpoints is highly suspicious. Regular security scans with a trusted plugin can also reveal anomalies.

10. Long-Term Prevention and Best Practices

To reduce the risk of future attacks, adopt a proactive security posture:

1. Keep all plugins and themes updated—vulnerabilities are often patched quickly by developers.
2. Use Content Security Policy (CSP) headers to restrict which scripts can execute on your site.
3. Implement subresource integrity (SRI) for third-party assets.
4. Perform regular security audits and penetration testing.
5. Educate your team about social engineering and phishing that could lead to admin account compromise.
6. Choose reputable plugins with active maintenance and security track records.

By combining immediate fixes with long-term security measures, you can significantly lower the risk of falling victim to checkout skimming attacks.

In conclusion, the active exploitation of the Funnel Builder vulnerability is a stark reminder that even widely trusted plugins can harbor critical flaws. WordPress site owners using WooCommerce must act now to protect their customers and their business. Stay informed through security alerts from trusted sources like Sansec, and always prioritize patching known vulnerabilities. With diligent monitoring and robust security practices, you can defend against skimming attacks and maintain the trust of your online shoppers.