Any customer who completed a purchase on an affected WooCommerce site while a skimmer was active may have had their full payment card number, CVV, and billing address stolen in real time. For site operators, this creates direct PCI-DSS breach notification obligations, potential card brand fines, and liability to affected customers. Reputational damage from a public payment card breach can cause lasting customer trust loss and increased cart abandonment.
You Are Affected If
You operate a WordPress site with FunnelKit Funnel Builder for WooCommerce Checkout installed at any version before 3.15.0.3
Your WooCommerce checkout pages are publicly accessible on the internet
You have not applied the patch released May 14, 2026 (version 3.15.0.3) since the vulnerability was disclosed
You have not audited the FunnelKit External Scripts configuration setting for unauthorized JavaScript content
Your WAF or IPS does not block unauthenticated POST requests to FunnelKit plugin endpoints
Board Talking Points
A critical flaw in a widely used WooCommerce checkout plugin is being actively exploited to silently steal customers' payment card data at the moment of purchase.
Any site running this plugin must be patched immediately to version 3.15.0.3 and audited for existing skimmer code — both actions should be completed within 24 hours.
Sites that do not act face ongoing customer payment card theft, PCI-DSS breach notification requirements, and potential card brand fines that can run into the tens of thousands of dollars.
PCI-DSS — the attack directly targets payment card numbers, CVVs, and billing data captured at checkout, triggering PCI-DSS breach notification and incident response obligations for affected merchants
GDPR / regional privacy law — billing name, address, and payment data harvested from EU or UK customers constitutes a personal data breach requiring assessment and potential supervisory authority notification within 72 hours of discovery
