An unauthenticated remote code injection vulnerability in the FunnelKit Funnel Builder for WooCommerce Checkout plugin (all versions before 3.15.0.3) is being actively exploited to inject JavaScript card skimmers into checkout pages across an estimated 40,000+ installations, capturing payment card numbers, CVVs, and billing data and exfiltrating via WebSocket connections. A patch was released May 14, 2026; sites not yet patched are actively exposing customer payment data.