An actively exploited unauthenticated settings injection vulnerability in the FunnelKit Funnel Builder for WooCommerce Checkout plugin allows attackers to inject payment card skimming JavaScript into checkout pages with no credentials or user interaction required. Tens of thousands of WooCommerce stores running plugin versions 3.15.0.1 and earlier are exposed to real-time customer payment card theft. An emergency patch (version 3.15.0.3) is available and should be treated as an active incident response item, not routine maintenance.