← Back to Cybersecurity News Center
Severity
CRITICAL
CVSS
9.5
Priority
0.465
×
Tip
Pick your view
Analyst for full detail, Executive for the short version, or Plain & Simple if you are not a tech person.
Analyst
Executive
Plain & Simple
Executive Summary
A critical vulnerability in the FunnelKit Funnel Builder WordPress plugin allows attackers to inject malicious payment card skimming code into WooCommerce checkout pages without any login or credentials. According to security researchers, tens of thousands of active online stores running versions 3.15.0.1 and earlier are exposed to real-time theft of customer payment card data at the point of purchase. The vendor has released an emergency patch (version 3.15.0.3); any store not yet upgraded should treat this as an active incident, not a scheduled maintenance item.
Plain & Simple
Here’s what you need to know.
No jargon. Just the basics.
👤
Are you affected?
Probably, if you recently bought something online from a small or mid-size store and paid by card, your card details may have been copied without the store knowing.
🔓
What got out
Suspected: payment card number, expiry date, and security code
Suspected: name and billing address entered at checkout
Suspected: any other details typed into the payment form
✅
Do this now
1 Check your card statements now for any charges you did not make. 2 Call your bank and ask them to watch your card for fraud, or replace it. 3 If you see a charge you do not recognize, report it to your bank right away.
👀
Watch for these
Small test charges of a dollar or two you did not make.
Emails or texts claiming to be from a store asking you to re-enter your card.
Your bank calling about unusual purchases in a different city or country.
🌱
Should you worry?
Your card details may have been copied, but banks can usually reverse fraud charges if you report them quickly. Act now by checking your statement, and you will likely be protected.
Want more detail? Switch to the full analyst view →
Impact Assessment
CISA KEV Status
Not listed
Attack Vector
HIGH
Exploitable remotely over the internet
Complexity
HIGH
No special conditions required to exploit
Authentication
HIGH
No credentials needed — anyone can attempt
User Interaction
HIGH
Fully automated — no user action needed
Active Exploitation
LOW
No confirmed active exploitation
Affected Product
INFO
FunnelKit Funnel Builder for WooCommerce Checkout plugin for WordPress, versions <= 3.15.0.1 (patched in 3.15.0.3)
Are You Exposed?
⚠
You use FunnelKit Funnel Builder for WooCommerce Checkout plugin for WordPress, versions <= 3.15.0.1 (patched in 3.15.0.3) → Investigate immediately
⚠
Affected systems are internet-facing → Increased attack surface
✓
You have patched to the latest version → Reduced risk
✓
Systems are behind network segmentation / WAF → Mitigated exposure
Business Context
Every WooCommerce store on an unpatched version is actively harvesting customer payment card data for attackers at the moment of purchase, with no warning to the customer or the store. Direct costs include payment card fraud liability, potential card-brand fines, and mandatory forensic investigation costs under PCI-DSS breach response requirements. Reputational damage from customer card fraud reports can permanently reduce checkout conversion rates and trigger payment processor review of the merchant account.
You Are Affected If
You operate a WordPress site with FunnelKit Funnel Builder for WooCommerce Checkout installed at version 3.15.0.1 or earlier
Your WooCommerce checkout flow uses FunnelKit-managed checkout pages rather than native WooCommerce checkout
Your site is internet-facing and does not have a WAF rule blocking unauthenticated writes to FunnelKit plugin settings endpoints
You have not yet applied the emergency patch to version 3.15.0.3 released by FunnelKit
Your plugin update process follows a scheduled cycle rather than an emergency track, meaning the patch has not yet been evaluated for deployment
Board Talking Points
Attackers are actively stealing customer payment card numbers from online stores running an unpatched version of a widely used WooCommerce checkout plugin, with roughly 40,000 stores at risk.
Any store we operate on this plugin must upgrade to version 3.15.0.3 today, or take checkout offline until the patch is applied.
Stores that do not act immediately face confirmed payment card fraud liability, potential PCI-DSS breach notification requirements, and reputational damage from customer fraud reports.
PCI-DSS — vulnerability directly enables real-time payment card data exfiltration at the WooCommerce checkout stage; affected merchants are subject to PCI-DSS breach response, forensic investigation, and potential card-brand notification requirements
GDPR — payment card and personal data of EU customers transacting through affected checkout pages may have been exfiltrated, triggering 72-hour supervisory authority notification assessment under Article 33
Technical Analysis
The FunnelKit Funnel Builder for WooCommerce Checkout plugin (WordPress) contains an unauthenticated settings injection vulnerability affecting all versions through 3.15.0.1, patched in 3.15.0.3.
No CVE identifier has been assigned; assignment appears pending.
Root cause is a combination of missing authorization checks (CWE-862), improper exposure of dangerous functions (CWE-749), stored cross-site scripting (CWE-79), and insufficient verification of data authenticity (CWE-494).
An unauthenticated remote attacker can write arbitrary JavaScript into WooCommerce checkout page settings with no authentication and no user interaction required (CVSS base 9.5). According to Wordfence threat intelligence, attackers are actively exploiting this flaw using payment skimming payloads disguised as Google Tag Manager (GTM) script entries to evade security tooling and analyst review. A separate Wordfence advisory documents a related SQL injection variant in versions ≤ 3.15.0.1, indicating broader input-handling weaknesses in the same plugin. MITRE ATT&CK techniques observed or applicable: T1190 (Exploit Public-Facing Application), T1059.007 (JavaScript execution), T1036 /T1036.005 (Masquerading as GTM), T1056.003 (Web Portal Capture), T1565.002 (Transmitted Data Manipulation), T1185 (Browser Session Hijacking), T1071.001 (Web Protocol C2). Sources: Wordfence threat intelligence advisory, BleepingComputer, The Hacker News, SC World. Note: CVSS vector is not yet available from vendor; EPSS score and CISA KEV status are not yet assigned. Absence does not reduce urgency given confirmed active exploitation.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to legal counsel, your PCI-DSS QSA, and executive leadership immediately if web server access logs confirm any successful unauthenticated POST to FunnelKit settings endpoints during the exposure window (FunnelKit <= 3.15.0.1 install date through patch application), as confirmed exploitation of a payment card skimmer on a PCI-DSS in-scope checkout page triggers mandatory acquirer notification obligations under card brand operating regulations and may constitute a reportable breach under applicable state data breach notification laws.
1
Containment. Immediately identify all WordPress instances running FunnelKit Funnel Builder for WooCommerce Checkout ≤ 3.15.0.1. If upgrade cannot be applied within hours, disable the plugin and take WooCommerce checkout offline rather than continue accepting payments on a compromised page. Apply a WAF rule blocking unauthenticated POST requests to FunnelKit admin-ajax.php and REST API endpoints (wp-json/funnelkit/*) as a temporary control while the patch is deployed.
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SC-7 (Boundary Protection)
CIS 4.4 (Implement and Manage a Firewall on Servers)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Run 'wp plugin list --status=active --format=csv' via WP-CLI across all managed WordPress instances and grep for 'funnel-builder' with version <= 3.15.0.1. For WAF rule without an enterprise appliance, add a ModSecurity or Nginx location block denying unauthenticated POST requests matching URI patterns '/wp-admin/admin-ajax.php' with action parameters referencing FunnelKit handlers (e.g., 'wffn_' prefixed actions) and any REST route under '/wp-json/funnelkit/' — return HTTP 403. If neither is available, add a PHP-level gate in wp-config.php or a must-use plugin that checks nonce and authentication before processing those AJAX actions.
Preserve Evidence
Before disabling the plugin or applying WAF rules, snapshot the current WordPress database — specifically export the wp_options table rows where option_name LIKE 'funnelkit%' OR option_name LIKE 'wffn%' — to capture any injected skimmer payload in its current state. Also capture the live rendered HTML source of all active WooCommerce checkout pages (wget or curl -A 'IR-Capture' https://[store]/checkout/) to document any externally-hosted script tags present at time of discovery. Preserve these before containment actions alter the evidence.
2
Detection. Audit current plugin settings for unexpected JavaScript entries, particularly any resembling Google Tag Manager snippets (gtag, GTM-XXXXXXX container IDs) that were not explicitly configured by your team. Search server-side access logs for unauthenticated POST requests to FunnelKit admin AJAX or REST API endpoints. Review WooCommerce checkout page source for injected script tags pointing to external domains. If a SIEM is in use, query for anomalous JavaScript file loads from checkout pages against known-good baselines.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST SI-4 (System Monitoring)
NIST AU-2 (Event Logging)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Query Apache/Nginx access logs with: grep -E 'POST.*(admin-ajax\.php|wp-json/funnelkit).* (200|302)' /var/log/nginx/access.log | grep -v 'wp-login\|Cookie:.*wordpress_logged_in' — any 200-response POST to those endpoints without an authenticated session cookie is a candidate exploitation attempt. For the database audit, run: wp option list --search='wffn*' --format=json | python3 -c "import sys,json; [print(r) for r in json.load(sys.stdin) if '<script' in str(r.get('option_value',''))]" to surface injected script content in FunnelKit option rows. Use the free Wordfence CLI scanner or WPScan (wpscan --url https://[store] --enumerate vp) to cross-check plugin version at scale.
Preserve Evidence
Extract all POST requests to wp-admin/admin-ajax.php and /wp-json/funnelkit/* endpoints from web server access logs for the 30 days prior to discovery — the unauthenticated exploitation mechanism means attacker requests will lack a wordpress_logged_in session cookie. Capture the raw POST body of any such requests if request body logging is enabled (ModSecurity audit log or Nginx mirror module). Dump the current value of wffn_global_settings and any wffn_* option containing 'script', 'gtag', 'GTM-', or external hostnames from wp_options — this is the primary artifact of a successful skimmer injection. Note the WordPress post meta (wp_postmeta) for WooCommerce checkout page posts, as skimmer code may also be stored there.
3
Eradication. Before proceeding, export the WordPress database (wp_options table specifically) to a backup file as a precautionary measure. Upgrade FunnelKit Funnel Builder for WooCommerce Checkout to version 3.15.0.3 immediately. After upgrading, purge all plugin settings caches and object caches (Redis, Memcached, WP Super Cache, W3 Total Cache). Manually audit the plugin's stored settings in the WordPress database (wp_options table, keys prefixed with 'funnelkit' or 'wffn') for any injected script content and remove it before restoring checkout.
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CM-6 (Configuration Settings)
CIS 7.3 (Perform Automated Operating System Patch Management)
CIS 7.4 (Perform Automated Application Patch Management)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
Compensating Control
Apply the patch via WP-CLI: 'wp plugin update funnel-builder --version=3.15.0.3' and verify with 'wp plugin get funnel-builder --field=version'. For cache purge without GUI access: 'wp cache flush' clears object cache; for Redis specifically run 'redis-cli FLUSHDB'; for file-based page caches delete contents of wp-content/cache/ with 'find wp-content/cache/ -type f -delete'. For the database audit, run this MySQL query directly: SELECT option_name, option_value FROM wp_options WHERE (option_name LIKE 'funnelkit%' OR option_name LIKE 'wffn%') AND option_value REGEXP '<script|gtag|GTM-[A-Z0-9]+|document\.write'; — review and sanitize any returned rows before re-enabling checkout.
Preserve Evidence
Before applying the patch, create a full database dump: 'mysqldump -u [user] -p [dbname] wp_options > wp_options_pre_patch_$(date +%Y%m%d%H%M).sql' — this preserves the injected payload verbatim for forensic analysis and potential PCI-DSS evidence requirements. Also archive the current plugin file state: 'tar czf funnelkit_files_pre_patch_$(date +%Y%m%d%H%M).tar.gz wp-content/plugins/funnel-builder/' to capture any file-level tampering. Do not purge caches until these snapshots are secured off-system.
4
Recovery. After patching and database cleanup, validate the live checkout page source contains no unexpected script tags or external resource loads. Place checkout transactions under enhanced monitoring for 72 hours post-remediation. Notify your payment processor of the potential compromise window so they can flag affected card ranges for fraud monitoring. Preserve pre-patch database snapshots and access logs as forensic artifacts.
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST IR-6 (Incident Reporting)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST AU-11 (Audit Record Retention)
CIS 3.4 (Enforce Data Retention)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Automate post-patch checkout page validation with a curl pipeline: 'curl -s https://[store]/checkout/ | grep -oP "<script[^>]*src=[\"'][^\"']*[\"']" | grep -vF -f known_good_scripts.txt' where known_good_scripts.txt contains your authorized script hostnames — any unrecognized external src is a residual or re-injection indicator. Schedule this check as a cron job every 15 minutes for the 72-hour monitoring window: '*/15 * * * * /usr/local/bin/checkout_integrity_check.sh >> /var/log/checkout_monitor.log 2>&1'. For payment processor notification, reference the specific exposure window (date range from first attacker POST to confirmed patch) when contacting your acquirer's fraud team so they can apply targeted BIN-range monitoring.
Preserve Evidence
Retain the pre-patch wp_options database dump, all web server access logs covering the full potential exposure window (from earliest FunnelKit <= 3.15.0.1 installation date to patch timestamp), and the archived plugin file snapshot in write-protected off-system storage — these constitute the forensic record for PCI-DSS Requirement 12.10 incident documentation and any card brand forensic investigation (Visa/Mastercard may request these via your acquirer). Log retention must meet your PCI-DSS requirement (minimum 12 months per PCI DSS v4.0 Requirement 10.7), not just standard operational retention periods.
5
Post-Incident. Conduct a plugin inventory review: audit all installed WordPress plugins for unauthenticated settings modification risks, particularly those handling WooCommerce checkout flows. Implement file integrity monitoring on WordPress core and plugin directories. Establish a process for emergency plugin updates that does not require a full change-management cycle. If PCI-DSS in-scope, initiate a formal incident record and assess whether notification obligations to your acquiring bank or card brands are triggered.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST RA-5 (Vulnerability Monitoring and Scanning)
NIST CM-8 (System Component Inventory)
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Deploy the free WordPress File Monitor Plus plugin or use Linux inotifywait ('inotifywait -m -r -e modify,create,delete /var/www/html/wp-content/plugins/ --format "%T %w%f %e" --timefmt "%Y-%m-%d %H:%M:%S" >> /var/log/wp_file_integrity.log') to alert on any plugin file changes outside of planned maintenance windows. For broader plugin risk assessment, run WPScan with '--enumerate vp --plugins-detection aggressive' to identify other WooCommerce-adjacent plugins with known unauthenticated vulnerability patterns. For PCI-DSS notification assessment: if cardholder data was present on the checkout page during the exposure window, card brand rules (Visa GCAR, Mastercard SDP) typically require acquirer notification within 72 hours of compromise confirmation — consult your QSA, as this is a regulatory determination requiring human authority.
Preserve Evidence
Produce a formal incident timeline documenting: (1) earliest possible exploitation date based on plugin version install history (check wp-content/plugins/funnel-builder/readme.txt or Composer lock files for install timestamps), (2) first evidence of attacker POST activity in access logs, (3) date of detection, (4) date of containment, and (5) date of patch application — this timeline is the core artifact for PCI-DSS forensic reporting and card brand notification letters. Archive all forensic evidence collected across the response with SHA-256 hashes of each artifact file to establish chain of custody.
Recovery Guidance
After patching to FunnelKit 3.15.0.3 and completing database sanitization, run automated checkout page source validation every 15 minutes for a minimum of 72 hours, specifically scanning for any script tags with external src attributes not present in your pre-incident known-good baseline — re-injection is possible if attacker persistence was established via other means such as a backdoored plugin or compromised wp-admin credential. Monitor WooCommerce order anomalies and chargebacks for 90 days post-remediation, as skimmed payment cards typically surface in fraud reports 30-60 days after exfiltration. Confirm with your payment processor that they have flagged the potentially affected card ranges based on the exposure window you provided, and request a fraud rate report at 30 and 60 days to quantify customer impact.
Key Forensic Artifacts
wp_options table rows (MySQL dump): All rows where option_name LIKE 'wffn%' OR option_name LIKE 'funnelkit%' — the skimmer JavaScript payload injected via the unauthenticated endpoint is stored directly in these rows and is the primary evidence of successful exploitation.
Web server access logs (Apache/Nginx): All POST requests to wp-admin/admin-ajax.php and /wp-json/funnelkit/* URI paths lacking a wordpress_logged_in authenticated session cookie, covering the full window from FunnelKit <= 3.15.0.1 installation to patch application — these are the attacker's injection requests.
Rendered WooCommerce checkout page HTML captures: Point-in-time curl/wget snapshots of https://[store]/checkout/ taken at discovery, showing any injected external script src tags (particularly those mimicking Google Tag Manager GTM-XXXXXXX container ID format pointing to attacker-controlled domains).
WordPress debug and error logs (wp-content/debug.log): May contain PHP notices or warnings generated by the attacker's unauthenticated settings modification requests, providing additional timestamp correlation for the exploitation timeline.
ModSecurity or WAF audit logs (if enabled): Full request/response bodies for POST transactions to FunnelKit endpoints — if ModSecurity was active in detection mode, the audit log at /var/log/modsec_audit.log may contain the verbatim injected JavaScript payload and originating attacker IP addresses with timestamps.
Detection Guidance
Primary detection: audit the WooCommerce checkout page HTML source for script tags not present in your approved tag inventory, especially any referencing external domains or using GTM-style container IDs you did not configure.
In the WordPress database, query wp_options for funnelkit or wffn-prefixed keys containing '<script', 'javascript', or 'gtm' strings.
In web server access logs, look for unauthenticated POST requests (no valid WordPress auth cookies, no nonce) targeting FunnelKit admin-ajax.php actions or REST endpoints during the exposure window.
If a WAF or CDN is in place (Cloudflare, Sucuri, Wordfence), review firewall event logs for blocked or permitted requests matching unauthenticated plugin settings writes. Behavioral indicator: skimmer payloads in this campaign masquerade as GTM entries; compare installed GTM container IDs against your Google Tag Manager account. Any GTM-formatted ID not present in your GTM account is a strong indicator of compromise. No confirmed public IOC list (IPs, domains, hashes) is available in current sourced reporting. If indicators become available via Wordfence or other threat intelligence platforms, monitor Wordfence's plugin threat page or request them directly. Pending public indicators, focus detection on behavioral anomalies (injected scripts, unexpected external resource loads in checkout).
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 url
Type Value Enrichment Context Conf.
🔗 URL
GTM-[unrecognized container ID in checkout source]
VT
US
Skimmer scripts in this campaign are disguised as Google Tag Manager entries; any GTM container ID present in WooCommerce checkout page source that does not match a container in your Google Tag Manager account should be treated as a likely IOC
MEDIUM
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: Unauthenticated JavaScript Injection in FunnelKit Funnel Builder Enables Active
let malicious_urls = dynamic(["GTM-[unrecognized container ID in checkout source]"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (4)
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Web application exploit patterns
KQL Query Preview
Read-only — detection query only
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor has_any ("PaloAlto", "Fortinet", "F5", "Citrix")
| where Activity has_any ("attack", "exploit", "injection", "traversal", "overflow")
or RequestURL has_any ("../", "..\\\\", "<script", "UNION SELECT", "\${jndi:")
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP, RequestURL, Activity, LogSeverity
| sort by TimeGenerated desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1036
T1059.007
T1036.005
T1056.003
T1565.002
T1185
+2
CA-8
RA-5
SC-7
SI-2
SI-7
AC-3
+3
A01:2021
A08:2021
A03:2021
6.1
2.5
2.6
16.10
7.3
7.4
+1
A.8.28
A.8.8
A.5.34
A.5.21
MITRE ATT&CK Mapping
T1036
Masquerading
defense-evasion
T1036.005
Match Legitimate Resource Name or Location
defense-evasion
T1565.002
Transmitted Data Manipulation
impact
T1185
Browser Session Hijacking
collection
T1190
Exploit Public-Facing Application
initial-access
Guidance Disclaimer
