Critical WooCommerce Risk: Unauthenticated JavaScript Injection in Funnel Builder Exposes 40,000+ Stores to Magecart-Style Skimmers

As of May 2026, the WooCommerce ecosystem continues to be a prime target for supply-chain-adjacent threats. Security researchers at Sansec have identified active exploitation of a critical vulnerability in Funnel Builder by FunnelKit, a widely deployed checkout and upsell plugin.

With over 40,000 active installations, this flaw allows unauthenticated attackers to inject arbitrary JavaScript into every checkout page, effectively turning legitimate payment flows into real-time data-harvesting traps.

Technical Breakdown: How the Vulnerability Works

The root cause lies in how Funnel Builder handles internal AJAX dispatching. The plugin exposes a public checkout endpoint that dynamically routes requests to internal methods based on user-supplied parameters. In versions prior to 3.15.0.3, this dispatcher completely bypasses WordPress capability checks and lacks an allow-list for permitted methods.

Consequently, an unauthenticated actor can craft a carefully structured HTTP request that writes attacker-controlled payloads directly into the plugin’s global configuration. Specifically, the vulnerability targets the External Scripts field. Whatever code an attacker injects here gets rendered verbatim on every Funnel Builder checkout page, granting persistent, site-wide JavaScript execution without requiring admin credentials or prior compromise.

FunnelKit addressed this in version 3.15.0.3 by enforcing strict capability validation and restricting the AJAX dispatcher to a hardcoded allow-list of safe methods. The exact code changes are documented in the official WordPress.org changeset here.

Payload Analysis: The Fake GTM Wrapper

Sansec’s telemetry shows attackers aren’t dropping random payloads. They’re leveraging a well-worn Magecart playbook: masquerading as legitimate analytics. The injected code is carefully crafted to resemble a standard Google Tag Manager loader, complete with familiar variable names and a plausible document.createElement structure. This social engineering layer is deliberate; store owners, developers, and automated scanners often overlook anything resembling known tracking scripts.

Once the checkout page loads, the script decodes a base64 string and dynamically fetches a secondary payload from analytics-reports[.]com/wss/jquery-lib.js. This loader establishes a persistent WebSocket connection to wss://protect-wss[.]com/ws. From there, the attacker’s command-and-control infrastructure streams a custom-tailored payment skimmer back to the victim’s browser. The skimmer hooks into the checkout form, intercepting credit card numbers, CVVs, billing addresses, and email fields in real-time before the transaction completes.

Because the skimmer operates entirely client-side, it bypasses server-side WAF rules, leaves minimal server-side artifacts, and blends into normal browser network traffic. Detection relies heavily on behavioral monitoring, DOM integrity checks, and strict external script governance.

Business Impact & Compliance Risks

The implications extend far beyond immediate financial fraud. Merchants using this plugin face:

  • PCI-DSS Non-Compliance: Client-side skimming violates requirement 6.5.7 and 11.5, potentially triggering audit failures and increased processing fees.
  • Chargeback Liabilities: Stolen payment data leads to fraudulent transactions, forcing merchants to absorb chargebacks and dispute costs.
  • Reputational Damage: Customers lose trust when their financial information is compromised, often resulting in long-term revenue decline.

Remediation & Hardening Steps

While patching is non-negotiable, relying solely on vendor updates leaves a window of exposure. Follow this hardening checklist immediately:

  1. Update to 3.15.0.3 or later: Upgrade Funnel Builder and all related FunnelKit plugins via your WordPress dashboard.
  2. Audit External Scripts: Navigate to Settings > Checkout > External Scripts and review every injected snippet. Remove any code that lacks a documented business purpose, appears obfuscated, or references unknown domains.
  3. Deploy Continuous Monitoring: Use specialized e-commerce security tools like eComscan to scan for this specific skimmer, along with backdoors, file integrity violations, and known vulnerable dependencies.
  4. Implement Content Security Policy (CSP): Restrict inline script execution and limit script-src directives to explicitly trusted CDNs. This neutralizes base64-decoded loaders and dynamic WebSocket fetches.

Indicators of Compromise (IoCs)

Monitor your network logs, DOM snapshots, and plugin settings for the following artifacts:

analytics-reports[.]com/wss/jquery-lib.js
wss://protect-wss[.]com/ws

Final Thoughts

Supply-chain vulnerabilities in WordPress plugins remain one of the most efficient attack vectors for payment card theft. Attackers no longer need to compromise your server to steal customer data; they only need one unpatched endpoint and a cleverly disguised script.

Combine prompt vendor updates with active code integrity monitoring, strict external script governance, and behavioral detection to keep your checkout pipeline secure.

Related Articles

Back to top button