No CVE has been assigned yet at the time of reporting.

Readers should monitor for unfamiliar checkout scripts and follow security advisories from Sansec and The Hacker News for updates.

Funnel Builder has released a patch in version 3.15.0.3; store owners should update and audit External Scripts under Settings > Checkout to remove unfamiliar entries.

Contextual industry threats include broader web security risks, such as backdoored Joomla sites delivering obfuscated PHP backdoors.

Sansec researchers documented the exploit, the payload, and recommended immediate remediation.

Advisory urges site owners to update via the WordPress dashboard and audit External Scripts under Settings > Checkout to remove unauthorized entries.

The malicious code delivers a customized skimmer that exfiltrates credit cards, CVVs, billing addresses, and other customer data.

Exploitation is active in the wild, affecting all versions prior to 3.15.0.3, with over 40,000 affected WooCommerce stores.

Payload masquerades as a Google Tag Manager loader and opens a WebSocket to a remote C2 server to fetch a tailored skimmer.

A critical vulnerability in the Funnel Builder (FunnelKit) WordPress plugin is actively exploited to inject malicious JavaScript into WooCommerce checkout pages, enabling data theft.

Sansec notes the skimmer technique mirrors Magecart patterns by disguising malicious code as legitimate analytics or tag management scripts.

Attackers modify the plugin’s public checkout endpoint via the External Scripts setting, enabling code injection on every checkout page; publicly exposed endpoint previously allowed unauthenticated writes to the plugin’s settings.