Funnel Builder Plugin Vulnerability: Active Exploitation Enables WooCommerce Payment Skimming
A critical security flaw in the Funnel Builder plugin for WordPress is currently being actively exploited to inject malicious scripts into WooCommerce checkout pages. This skimming attack aims to steal customer payment data. Discovered by security firm Sansec, the vulnerability has no official CVE identifier yet. Below we answer key questions about this threat.
Jump to: What is the Funnel Builder plugin? | What specific vulnerability is being exploited? | How exactly does the exploitation work? | What data is at risk? | Who discovered and reported this? | Why no CVE and what can users do?
What is the Funnel Builder plugin and why is it popular?
The Funnel Builder plugin is a popular WordPress extension designed to help e-commerce site owners create optimized sales funnels. It integrates seamlessly with WooCommerce, allowing users to build custom checkout flows, upsells, and thank-you pages without coding. Its drag-and-drop interface and pre-built templates attract many businesses looking to boost conversions. Because of its deep integration with WooCommerce, it has access to sensitive checkout data, making it a prime target for attackers. The plugin is maintained by a third-party developer and is used by thousands of online stores.
What specific vulnerability is being exploited?
The vulnerability is a critical security flaw that allows an attacker to inject malicious JavaScript code into WooCommerce checkout pages. The exact root cause has not been publicly detailed to avoid aiding attackers, but it likely involves improper sanitization of user input or insecure handling of plugin configuration data. This flaw can be triggered without authentication, making it especially dangerous. Once injected, the malicious script runs in the context of the checkout page, blending seamlessly with legitimate code. The vulnerability currently lacks an official CVE identifier, which means it may not be immediately recognized by automated security scanners.
How exactly does the exploitation work for payment skimming?
Attackers target sites running the vulnerable Funnel Builder plugin by injecting JavaScript that executes when a customer reaches the WooCommerce checkout page. This script intercepts form submissions, capturing credit card numbers, expiration dates, CVV codes, and billing addresses in real time. The stolen data is then exfiltrated to an attacker-controlled server, often via a hidden HTTP request or by encoding it in a image URL. Because the script runs on the same page, it appears completely normal to the customer and even to many security tools. This method is known as client-side skimming or form grabbing.
What data is at risk from this attack?
The primary target is payment card data entered during WooCommerce checkout. This includes full credit or debit card numbers, expiration dates, cardholder names, CVV codes, and billing addresses. In some cases, attackers may also capture email addresses and phone numbers for additional fraud or phishing campaigns. Any customer who completes a purchase on a compromised site may have their financial information exposed. Since the malicious script runs client-side, even stores that process payments through a secure gateway (like Stripe or PayPal) can have their customers’ data stolen before it reaches the gateway.
Who discovered and reported this vulnerability?
The security firm Sansec published the initial report detailing the active exploitation. Sansec specializes in detecting and preventing digital skimming and has a track record of uncovering Magecart-type attacks targeting e-commerce platforms. They observed the malicious activity in the wild and alerted the WordPress security community. As of the report, the plugin developer has not released a patch, and no CVE has been assigned. Sansec advised site owners to temporarily disable the Funnel Builder plugin until a fix is provided.
Why is there no CVE identifier, and what mitigations exist?
CVEs are typically assigned by MITRE or other organizations after a vulnerability is reported and confirmed. In this case, the lack of a CVE may stem from the plugin developer not yet acknowledging the flaw or from the reporting process being incomplete. Without a CVE, vulnerability databases and automated scanners may not flag the issue. Mitigations for site owners include: immediately disabling the Funnel Builder plugin, monitoring WooCommerce logs for unusual scripts, adding a web application firewall (WAF) rule to block known patterns, and using content security policy (CSP) headers to restrict script execution. Regularly updating all plugins and themes is also critical. As a long-term fix, users should apply a patched version as soon as one is released by the developer.