Active Exploitation in the Wild
A critical security vulnerability in the Funnel Builder plugin for WordPress has entered active exploitation, with threat actors injecting malicious JavaScript code into WooCommerce checkout pages to steal payment card data. Security researchers published details of the campaign on May 16, 2026.
The attack targets e-commerce sites running WooCommerce with the Funnel Builder plugin installed — a combination used by tens of thousands of online stores to create sales funnels and optimized checkout flows.
How the Attack Works
Exploiting the flaw in Funnel Builder, attackers gain the ability to modify the checkout page template rendered by WooCommerce. They inject a JavaScript payment skimmer — a lightweight script that silently captures form field values (card number, CVV, expiry date, billing name and address) as the victim completes their purchase.
The stolen data is exfiltrated to an attacker-controlled server in real time, typically encoded in a way that blends with normal analytics or tracking traffic to evade detection by network monitoring tools.
The victim's transaction still completes normally, meaning neither the merchant nor the customer is immediately aware of the compromise.
Why This Is Significant
WordPress powers an estimated 43% of all websites, and WooCommerce is by far the most popular e-commerce platform built on top of it. Plugin vulnerabilities that enable checkout manipulation represent a significant threat to consumers — credit card data stolen via skimmers is typically sold in bulk on criminal marketplaces or used directly for fraudulent transactions within hours of capture.
This class of attack mirrors techniques used by the well-documented Magecart group and its successors, which have targeted payment pages across thousands of sites over the past several years.
Indicators and Recommendations
For site administrators:
- Update the Funnel Builder plugin to the latest patched version immediately
- Audit your checkout page source for unexpected
<script>tags or base64-encoded blobs - Review server-side file modification timestamps for recently altered theme or plugin files
- Enable a Web Application Firewall (WAF) with WordPress-specific rules
- Implement Subresource Integrity (SRI) checks and a strict Content Security Policy (CSP) to limit the execution of unauthorized scripts
For consumers:
- Use virtual or single-use card numbers for online purchases where available
- Monitor card statements closely for unexpected small transactions (skimmers often test with micro-charges)
- Prefer payment methods that do not expose full card data (e.g., PayPal, Apple Pay, Google Pay)