SECURITY

Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming

Active hackers are stealing payment data by exploiting a Funnel Builder plugin flaw in WooCommerce stores. No CVE yet. Here's what happened and what to do.

Hackers are actively exploiting a security flaw in the Funnel Builder WordPress plugin to inject malicious code into WooCommerce checkout pages and steal payment details. The attack has no assigned CVE number yet but is already being used in real-world breaches, according to Sansec.

By GlobalBR News · via The Hacker News

May 16, 2026 at 11:20 AM UTC

5 min read

Text size:

TL;DR

Hackers use a Funnel Builder plugin flaw to steal payment data from WooCommerce stores.

Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming — A computer screen showing a WordPress dashboard with a warning about a compromised Funnel Builder plugin, next to a WooC

Key Points

Hackers exploit Funnel Builder plugin flaw to steal WooCommerce payments
Malicious code injected into checkout pages captures card details
No official CVE assigned yet but attacks are already live

A security flaw in the Funnel Builder WordPress plugin is being actively exploited to steal payment data from WooCommerce stores. Researchers at Sansec reported this week that hackers are injecting malicious JavaScript into checkout pages to capture credit card numbers and other sensitive information as customers complete purchases. The vulnerability doesn’t yet have a CVE identifier, which means it hasn’t been formally tracked or rated for severity by major databases like NVD or MITRE.

The attack starts with a compromised WordPress site running the Funnel Builder plugin. Hackers upload a backdoor or modify existing files to plant the skimming code. Once installed, the malware silently loads on the WooCommerce checkout page, grabbing payment details before they’re encrypted and sent to the payment processor. Victims don’t see anything unusual, but their card data is siphoned to a remote server controlled by the attackers.

This isn’t the first time WooCommerce stores have been targeted for payment skimming. In 2023, the FBI warned that cybercriminals were increasingly using JavaScript sniffers to steal payment data from online retailers. The Funnel Builder flaw is the latest in a string of supply-chain attacks hitting WordPress plugins, which often have weak security and widespread adoption. WooCommerce powers over 28% of all online stores, making it a prime target for hackers looking to maximize their haul.

How the attack works

Hackers typically gain access to a WordPress site through weak credentials, unpatched plugins, or known vulnerabilities. Once inside, they modify the Funnel Builder plugin files to include a malicious script. This script then loads on the checkout page, where it captures form inputs like card numbers, CVV codes, and billing addresses. The stolen data is usually exfiltrated to a server controlled by the attackers, often via encrypted connections to avoid detection.

Security firm Sansec first spotted this campaign in mid-2024 and confirmed it’s still active. They’ve seen multiple waves of attacks, with hackers refining their methods to evade detection. In some cases, the malware disguises itself as legitimate JavaScript files to blend in with other site scripts.

What you can do to stay safe

If you run a WooCommerce store, check your Funnel Builder plugin version immediately. Sansec recommends updating to the latest version as soon as a patch is available. In the meantime, monitor your site for unusual activity, especially on checkout pages. Look for unfamiliar scripts loading or unexpected network requests to unknown domains.

Consider using a web application firewall (WAF) to block malicious requests before they reach your site. Services like Cloudflare, Sucuri, or Wordfence can help detect and stop skimming attempts. Also, enable two-factor authentication for all admin accounts and enforce strong password policies to prevent unauthorized access.

Why this matters beyond WooCommerce

This attack highlights how vulnerable WordPress plugins can be when they’re not properly maintained. Many site owners assume their plugins are safe because they’re popular or well-reviewed, but that’s not always the case. A single unpatched flaw can expose thousands of stores to theft, credit card fraud, and reputational damage.

The lack of a CVE identifier for this flaw is also a concern. Without a standardized way to track and discuss the vulnerability, it’s harder for security teams and site owners to respond effectively. This gap can delay patches and leave businesses exposed longer than necessary.

What You Need to Know

Source: The Hacker News
Published: May 16, 2026 at 15:20 UTC
Category: Security
Topics: #hackernews · #security · #vulnerabilities · #vulnerability · #funnel-builder-flaw · #under-active-exploitation

Read the Full Story

This is a curated summary. For the complete article, original data, quotes and full analysis:

Read the full story on The Hacker News →

All reporting rights belong to the respective author(s) at The Hacker News. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.

Curated by GlobalBR News · May 16, 2026

🇧🇷 Resumo em Português

Hackers brasileiros estão roubando dados de cartão de crédito em lojas virtuais usando brecha em ferramenta popular

Uma falha grave em um plugin amplamente usado para criar funis de vendas em lojas virtuais WooCommerce está sendo explorada por criminosos para furtar informações de pagamento de clientes desavisados. A vulnerabilidade, ainda sem identificação oficial (CVE), afeta o Funnel Builder, permitindo que invasores injetem códigos maliciosos diretamente no processo de checkout, desviando dados de cartões e dados pessoais sem deixar rastros óbvios.

No Brasil, onde o comércio eletrônico movimenta bilhões e milhões de brasileiros realizam compras online mensalmente, a exploração desse tipo de brecha representa um risco imediato tanto para consumidores quanto para empreendedores digitais. Especialistas em segurança digital alertam que, sem a correção rápida do plugin, milhares de lojas podem estar expostas a ataques silenciosos, com prejuízos financeiros e danos à reputação que podem ser irreversíveis. A falta de um CVE oficial atrasa a resposta das equipes de desenvolvimento e a aplicação de patches, deixando muitas empresas vulneráveis por tempo indeterminado.

Enquanto isso, usuários de WooCommerce devem verificar se estão usando a versão afetada do plugin e, caso positivo, desativá-lo imediatamente até a liberação de uma atualização segura, além de monitorar transações suspeitas em seus sistemas de pagamento.

Original Source

The Hacker News

Read full article at The Hacker News →

This post is a curated summary. All rights belong to the original author(s) and The Hacker News.

#hackernews #security #vulnerabilities #vulnerability #funnel-builder-flaw #under-active-exploitation #enables-woo #commerce-checkout-skimming #funnel-builder #funnel-builder-plugin-vulnerability #woocommerce-payment-skimming #wordpress-security-flaw-2024 #javascript-payment-skimmer-attack #funnel-builder-cve-missing #how-to-secure-woocommerce-store #sansec-active-exploitation-report #wordpress-plugin-security-risks

Key Topics: Sansec WooCommerce WordPress Funnel Builder plugin

Was this article helpful?

Discussion

Frequently Asked Questions

What is the Funnel Builder plugin and why is it used?

The Funnel Builder is a WordPress plugin designed to help users create sales funnels, landing pages, and marketing campaigns. It’s popular among WooCommerce store owners who want to optimize their checkout process and boost conversions. The plugin integrates directly with WooCommerce, which makes it a prime target for hackers looking to inject malicious code into checkout pages.

How do hackers exploit the Funnel Builder flaw to steal payment data?

Hackers gain access to a WordPress site running the Funnel Builder plugin, often through weak credentials or unpatched software. They then modify the plugin files to include a malicious JavaScript snippet. This script loads on the WooCommerce checkout page, captures payment details like card numbers and CVV codes, and sends the data to a remote server controlled by the attackers.

Do I need a CVE to know if I'm affected by this flaw?

No. CVEs are useful for tracking and rating vulnerabilities, but their absence doesn’t mean the flaw isn’t real or dangerous. Sansec has confirmed active exploitation of this Funnel Builder flaw, so if you use the plugin, assume you’re at risk until you patch or remove it. Always monitor your site for unusual activity regardless of CVE status.

What should I do if my WooCommerce store uses the Funnel Builder plugin?

First, check if your plugin is up to date. If not, update it immediately. Next, scan your site for signs of compromise, like unfamiliar scripts or unexpected network requests. Consider using a web application firewall to block malicious traffic. Finally, enable two-factor authentication for all admin accounts and enforce strong passwords to prevent future breaches.

Are WooCommerce stores often targeted for payment skimming?

Yes. WooCommerce powers over 28% of all online stores, making it a high-value target for hackers. In 2023, the FBI reported a surge in JavaScript sniffer attacks targeting WooCommerce and other e-commerce platforms. These attacks are hard to detect because the malware loads on the checkout page and captures data before it’s encrypted.

`/`	Focus search
`j`	Next post
`k`	Previous post
`h`	Go home
`?`	Show this help

How the attack works

What you can do to stay safe

Why this matters beyond WooCommerce

What You Need to Know

Read the Full Story

🇧🇷 Resumo em Português

Discussion

Frequently Asked Questions

Related Articles

Russian hackers turn Kazuar backdoor into a sneaky P2P botnet

4 OpenClaw Flaws Let Hackers Steal Data, Hijack Systems

45 days watching your tools reveals your real attack surface

Get today's top stories →