Critical Vulnerability in Funnel Builder Plugin Leads to WooCommerce Checkout Skimming
Executive Summary
In May 2026, a critical vulnerability in the Funnel Builder plugin for WordPress was actively exploited to inject malicious JavaScript into WooCommerce checkout pages, aiming to steal customer payment information. The flaw, affecting versions prior to 3.15.0.3, allowed unauthenticated attackers to modify global settings via an unprotected checkout endpoint, leading to the execution of malicious code on every checkout page. FunnelKit, the plugin's developer, released a patch in version 3.15.0.3 to address this issue.
This incident underscores the persistent threat of supply chain attacks targeting widely-used plugins to compromise e-commerce platforms. The exploitation of such vulnerabilities highlights the importance of timely software updates and vigilant monitoring of third-party components to safeguard sensitive customer data.
Why This Matters Now
The active exploitation of this vulnerability demonstrates the ongoing risk posed by unpatched plugins in the WordPress ecosystem, emphasizing the need for immediate updates and continuous security assessments to protect e-commerce operations and customer trust.
Attack Path Analysis
An unauthenticated attacker exploited a vulnerability in the Funnel Builder plugin to inject malicious JavaScript into WooCommerce checkout pages, leading to the theft of customer payment data.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited an unauthenticated SQL Injection vulnerability in the Funnel Builder plugin to gain unauthorized access to the WordPress site's database.
Related CVEs
CVE-2026-42381
CVSS 8An unauthenticated SQL Injection vulnerability in the FunnelKit Funnel Builder plugin allows attackers to extract sensitive information from the database.
Affected Products:
FunnelKit Funnel Builder – <= 3.15.0.1
Exploit Status:
exploited in the wildCVE-2025-54750
CVSS 7.5A Local File Inclusion vulnerability in the FunnelKit Funnel Builder plugin allows unauthenticated attackers to include and execute arbitrary files on the server.
Affected Products:
FunnelKit Funnel Builder – <= 3.11.1
Exploit Status:
proof of conceptCVE-2025-12878
CVSS 6.4An authenticated Stored Cross-Site Scripting vulnerability in the FunnelKit Funnel Builder plugin allows contributors to inject malicious scripts.
Affected Products:
FunnelKit Funnel Builder – <= 3.13.1.2
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
JavaScript
Spearphishing Link
Web Protocols
Password Guessing
Web Shell
Local Accounts
File and Directory Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
Web application exploitation targeting WooCommerce checkout pages creates critical payment data theft risks, requiring enhanced egress security and threat detection capabilities.
E-Learning
WordPress-based platforms face Funnel Builder vulnerabilities enabling JavaScript injection attacks, necessitating inline IPS protection and zero trust segmentation for payment processing.
Financial Services
Payment data skimming through compromised checkout systems demands encrypted traffic controls, anomaly detection, and strict egress policy enforcement to prevent exfiltration.
Consumer Services
Active exploitation of funnel builder flaws threatens customer payment security, requiring multicloud visibility, secure hybrid connectivity, and comprehensive threat response mechanisms.
Sources
- Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimminghttps://thehackernews.com/2026/05/funnel-builder-flaw-under-active.htmlVerified
- WordPress Funnel Builder vulnerability exploited to steal payment datahttps://www.scworld.com/brief/wordpress-funnel-builder-vulnerability-exploited-to-steal-payment-dataVerified
- FunnelKit – Funnel Builder for WooCommerce Checkout WordPress Plugin Security Vulnerabilitieshttps://wpscan.com/plugin/funnel-builder/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit vulnerabilities and move laterally within the cloud environment, thereby reducing the potential blast radius of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the SQL Injection vulnerability may have been constrained, limiting unauthorized access to the database.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and modify plugin settings could have been limited, reducing the scope of unauthorized changes.
Control: East-West Traffic Security
Mitigation: The propagation of malicious scripts across checkout pages may have been constrained, limiting the spread of the attack.
Control: Multicloud Visibility & Control
Mitigation: The establishment of unauthorized external connections could have been limited, reducing the attacker's ability to control compromised systems.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of sensitive payment data may have been constrained, limiting unauthorized data transmission.
The overall impact of the breach could have been reduced, limiting financial and reputational damage.
Impact at a Glance
Affected Business Functions
- E-commerce Checkout
- Payment Processing
- Customer Data Management
Estimated downtime: 7 days
Estimated loss: $50,000
Payment card information of customers, including credit card numbers, CVVs, and billing addresses.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict plugin access and prevent unauthorized modifications.
- • Deploy Inline IPS (Suricata) to detect and block malicious payloads targeting known vulnerabilities.
- • Utilize Cloud Firewall (ACF) to control outbound traffic and prevent unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unusual activities promptly.
- • Regularly update and patch plugins to mitigate known vulnerabilities and reduce the attack surface.
