ATTACKERS are exploiting a critical flaw in the WordPress Funnel Builder plugin to inject e-skimmers into WooCommerce checkout pages, with the vulnerability noted by Sansec researchers. Funnel Builder, used as a checkout and upsell plugin on over 40,000 WooCommerce stores, enables unauthenticated attackers to plant malicious scripts that print into every funnel checkout page and steal payment data during transactions.
The attackers insert a fake Google Tag Manager script in the plugin’s External Scripts setting, which hides a payment skimmer that grabs credit card numbers, CVVs and billing addresses. The report explains that an unauthenticated request can reach the internal method that writes attacker‑controlled data into the plugin’s global settings, causing the malicious code to run on every checkout.
Sansec also observed the attackers downloading a second-stage script from an attacker‑controlled domain via a WebSocket connection to a remote C2 server (wss://protect-wss[.]com/ws). FunnelKit has urged users to update to Funnel Builder version 3.15.0[.]3 and review the External Scripts settings to remove unknown code, with security guidance and IoCs provided by the researchers. 17 May 2026.