Attackers exploit Funnel Builder bug to inject e-skimmers into e-stores

A critical vulnerability in the WordPress Funnel Builder plugin is being exploited by attackers to inject malicious JavaScript code into WooCommerce checkout pages, allowing them to steal sensitive customer payment information¹. The Funnel Builder plugin, installed on over 40,000 WooCommerce stores, is a popular checkout and upsell tool developed by FunnelKit. Attackers are leveraging this flaw to inject e-skimmer code, which captures customers' card and payment details during the checkout process. This exploit poses a significant threat to e-commerce sites using the vulnerable plugin, as it enables attackers to intercept and exploit sensitive customer data. The widespread use of the Funnel Builder plugin makes it a lucrative target for malicious actors, so practitioners should prioritize updating and securing their WooCommerce stores to prevent such exploits, as the potential consequences of inaction could be severe financial losses for both businesses and their customers.