Cybercriminals have been actively exploiting a critical flaw in the widely deployed Funnel Builder plugin in order to harvest customer payment information during online transactions in a newly uncovered attack campaign, once again highlighting the security risks that face the WordPress e-commerce ecosystem.
According to security researchers, attackers are exploiting this vulnerability to silently inject malicious code into WooCommerce checkout pages, transforming legitimate payment workflows into points of data collection that are used to steal payment card information.
Approximately 40,000 websites are reported to have been infected with the plugin, posing a serious threat to online retailers as the vulnerability exposes sensitive customer data, including payment card information, CVV number, billing information, and other personal identifiers, to unauthorized access.
Linked to the discovery was an extensive security incident affecting the WordPress ecosystem, in which researchers discovered malicious code embedded within several widely used plugins, allowing attackers to gain access to vulnerable sites at an administrator level.
The full scope of the attack is still being investigated, but early indications indicate that a number of plugins with significant installations may have been affected, thereby expanding the attack surface substantially.
A threat actor may be able to bypass conventional authentication controls by create privileged accounts covertly and gain persistence over website environments. This allows them to manipulate content, exfiltrate sensitive business and customer data, deploy additional malware payloads, or take full control of the affected platform by manipulating site content.
It is important to understand how a single compromised plugin component can quickly become a source of global supply chain security concerns, presenting a heightened risk to both website operators and their users.
Based on further analysis, it was found that the vulnerability emerged from an unauthenticated flaw in Funnel Builder versions before 3.15.0.3, which enabled attackers to manipulate key plugin settings without requiring valid credentials.
More than 40,000 WordPress websites are hosting the plugin, which is widely used by WooCommerce merchants to create customized checkout experiences, landing pages, and sales funnels focused on conversions, amplifying the impact of exploitation. According to Sansec researchers, the malicious activity was associated with a deceptive JavaScript payload disguised as Google Analytics or Google Tag Manager components.
A WebSocket connection is established between the script and the attacker-controlled infrastructure, and the script abuses a vulnerable checkout endpoint to inject arbitrary code into the plugin's External Scripts configuration.
By loading malicious JavaScript automatically during checkout pages, a tailored payment skimmer silently captures the customer's credit card numbers, CVV codes, billing details, and other information provided by the customer.
It is common for stolen payment data to be monetized through fraudulent purchases or traded on underground carding markets.
FunnelKit has addressed the issue by releasing version 3.15.0.3, and acknowledges unauthorized script injection activity has been reported.
The security update must be deployed immediately, but administrators should also inspect checkout-related script configurations for unauthorized entries that may have been introduced prior to the security update implementation.
A review of software supply chain security within the WordPress ecosystem has also been initiated following the incident. Investigations are underway to determine whether the compromise resulted from vulnerabilities within plugin development workflows, third-party dependencies, or supporting infrastructure utilized during software development.
The threat actors are increasingly targeting the development environment and shared code libraries, since a successful intrusion can propagate malicious functionality across a wide range of downstream deployments.
There are indications that the injected code in this case is intended to circumvent standard authentication controls in order to establish privileged access to the account, perhaps by manipulating back end data structures or abusing application logic responsible for account provisioning.
After gaining access to the administrator-level accounts, attackers have broad control over the affected environment, allowing them to deface the website, steal customer records, and deploy additional malware, as well as maintain persistent access to the environment.
As a consequence of the compromise, there are also opportunities for secondary abuse, including the insertion of phishing content, malicious redirects, and SEO spam intended to manipulate search engine rankings without being noticed by site operators.
Aside from the immediate technical impact, organizations may be liable for considerable recovery costs, regulatory obligations relating to data exposure, incident response expenses, and long-term reputational damage, particularly if customer trust and online transactions form an integral part of their business model.
WordPress plugin compromises serve as a reminder that cyber threats are increasingly targeting trusted components that support digital businesses rather than the businesses themselves.
A number of websites can become entry points for large-scale abuse as attackers continue weaponizing software dependencies, plugin ecosystems, and checkout infrastructure.
Organizations which rely on WordPress and WooCommerce require security management that transcends patching vulnerabilities as soon as they are discovered; it is imperative to continuously monitor third-party components, implement strict access controls, detect proactive threats, and regularly review the integrity of the website.
Keeping visibility across the entire application supply chain remains one of the most effective ways to combat emerging threats, particularly in an environment where a single compromised plugin may compromise sensitive customer information.
