{"id":247252,"date":"2026-05-16T11:20:00","date_gmt":"2026-05-16T15:20:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/16\/funnel-builder-flaw-under-active-exploitation-enables-woocommerce-checkout-skimming\/"},"modified":"2026-05-17T07:00:17","modified_gmt":"2026-05-17T11:00:17","slug":"funnel-builder-flaw-under-active-exploitation-enables-woocommerce-checkout-skimming","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/16\/funnel-builder-flaw-under-active-exploitation-enables-woocommerce-checkout-skimming\/","title":{"rendered":"Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/funnel-builder-flaw-under-active.html\">Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/funnel-builder-flaw-under-active.html\">https:\/\/thehackernews.com\/2026\/05\/funnel-builder-flaw-under-active.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-16 11:20:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">May 16, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Website Security<\/span><\/p>\n<p>\n  A critical security vulnerability impacting the<br \/>\n  Funnel Builder<br \/>\n  plugin for WordPress has come under active exploitation in the wild to<br \/>\n  inject malicious JavaScript code<br \/>\n  into WooCommerce checkout pages with the goal of stealing payment data.\n<\/p>\n<p>\n  Details of the activity were<br \/>\n  published<br \/>\n  by Sansec this week. The vulnerability currently does not have an official CVE identifier. It affects all versions of the plugin before 3.15.0.3. It&#8217;s used in more than 40,000 WooCommerce stores.\u00a0\n<\/p>\n<p>\n  The flaw lets unauthenticated attackers inject arbitrary JavaScript into every checkout page on the store, the Dutch e-commerce security company said. FunnelKit, which maintains Funnel Builder, has released a patch for the vulnerability in version 3.15.0.3.\n<\/p>\n<p>\n  &#8220;Attackers are planting fake Google Tag Manager scripts into the plugin&#8217;s &#8216;External Scripts&#8217; setting,&#8221; it noted. &#8220;The injected code looks like ordinary analytics next to the store&#8217;s real tags, but loads a payment skimmer that steals credit card numbers, CVVs, and billing addresses from checkout.&#8221;\n<\/p>\n<p>\n  Per Sansec, Funnel Builder includes a publicly exposed checkout endpoint that allows an incoming request to choose the type of internal method to run. However, older versions were designed such that they never checked the caller&#8217;s permissions or limited which methods are allowed to be invoked.\n<\/p>\n<p>\n  A bad actor could exploit this loophole by issuing an unauthenticated request that can reach an unspecified internal method that writes attacker-controlled data directly into the plugin&#8217;s global settings. The added code snippet is then injected into every Funnel Builder checkout page.\n<\/p>\n<p>As a result, an attacker could plant a malicious <\/p>\n<p>\n  In at least one case, Sansec said it observed a payload masquerading as a Google Tag Manager (GTM) loader to launch JavaScript hosted on a remote domain. It subsequently opens a WebSocket connection to the attacker&#8217;s&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/funnel-builder-flaw-under-active.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming https:\/\/thehackernews.com\/2026\/05\/funnel-builder-flaw-under-active.html Publish Date: 2026-05-16 11:20:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":247253,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgYS8AhChFEeH6IwT4x1eB5VAeGfriF4VVcwINAxXVIGyap3g0CKx0R2BdI4s99cE3Q5JHr-KUVHqdhAFNfQIrCTJ6p-vq7u5naMTwb-WFjgis4vBdR29M94wAT-Dqh46zsbo4heSJOVdFRxXzR3SgHt2ZoTPPBEbB3cu4azACiFFl7jcIGNxw1d_U7eVU9\/s1600\/funnel.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31,27],"class_list":["post-247252","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/247252"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=247252"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/247252\/revisions"}],"predecessor-version":[{"id":247254,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/247252\/revisions\/247254"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/247253"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=247252"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=247252"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=247252"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}