A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript code into WooCommerce checkout pages, allowing attackers to steal payment data. The flaw, which currently lacks an official CVE identifier, enables threat actors to hijack sensitive information from unsuspecting customers. According to research published by Sansec1, the exploitation is ongoing, highlighting the need for immediate attention from WordPress administrators and WooCommerce users. The vulnerability's impact is significant, as it can lead to widespread payment data theft and compromise the security of numerous online stores. This active exploitation underscores the importance of staying informed about emerging threats and taking proactive measures to protect against them, as security developments continue to evolve and reshape the threat landscape, so what matters most to practitioners is prompt patching and monitoring to prevent such exploits.
Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming
⚠️ Critical Alert
Why This Matters
Security developments continue reshaping the threat landscape — staying informed is the first line of defense.
References
- The Hacker News. (2026, May 16). Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming. The Hacker News. https://thehackernews.com/2026/05/funnel-builder-flaw-under-active.html
Original Source
The Hacker News
Read original →