Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Critical Flaw in Funnel Builder Targets WooCommerce

Critical Flaw in Funnel Builder Targets WooCommerce

Posted on May 16, 2026 By CWS

A significant security vulnerability in the Funnel Builder plugin for WordPress is actively being exploited to compromise WooCommerce checkout pages. By injecting malicious JavaScript, attackers aim to steal sensitive payment data from unsuspecting users. This alarming development has raised concerns among thousands of WooCommerce store owners.

Details of the Vulnerability

The security issue was brought to light by Sansec, a Dutch e-commerce security firm, which detailed the exploitation techniques in a recent report. The vulnerability impacts all versions of the Funnel Builder plugin prior to 3.15.0.3, affecting over 40,000 WooCommerce installations. Despite the absence of an official CVE identifier, the flaw’s potential for harm has prompted urgent action.

This vulnerability allows unauthorized individuals to inject arbitrary JavaScript into every checkout page on the affected stores. In response, FunnelKit, the developers of Funnel Builder, have issued a critical patch in version 3.15.0.3 to address the flaw.

Methods of Exploitation

According to Sansec, attackers exploit this vulnerability by adding fake Google Tag Manager scripts through the plugin’s ‘External Scripts’ setting. These scripts mimic legitimate analytics tags but secretly deploy a payment skimmer. This skimmer captures sensitive information, including credit card numbers, CVVs, and billing addresses, during the checkout process.

The core issue lies in the plugin’s publicly exposed checkout endpoint. Prior versions allowed incoming requests to execute internal methods without verifying the caller’s permissions. This oversight enables attackers to inject harmful code into the plugin’s global settings, affecting all checkout pages.

Preventive Measures and Future Outlook

To mitigate this risk, store owners using the Funnel Builder plugin are urged to update to version 3.15.0.3 immediately. The update includes crucial patches that seal the vulnerability, safeguarding customer data from potential skimming attacks.

As the cybersecurity landscape evolves, maintaining vigilance over plugin security has become paramount. Developers and store owners must prioritize regular updates and security audits to protect against emerging threats.

In conclusion, the swift response to the Funnel Builder vulnerability highlights the ongoing battle against cyber threats in the e-commerce sector. By staying informed and proactive, businesses can better shield themselves and their customers from malicious activities.

The Hacker News Tags:checkout security, credit card skimming, Cybersecurity, data protection, e-commerce security, Funnel Builder, FunnelKit, JavaScript injection, malicious code, plugin update, Sansec, security flaw, vulnerability patch, WooCommerce, WordPress plugin

Post navigation

Previous Post: JDownloader Site Incident: Malicious Installers Found
Next Post: Public macOS Kernel Exploit Found on Apple M5 Chip

Related Posts

Kimsuky Expands Cyber Arsenal with New Techniques Kimsuky Expands Cyber Arsenal with New Techniques The Hacker News
Chrome 0-Day, Ivanti Exploits, MacOS Stealers, Crypto Heists and More Chrome 0-Day, Ivanti Exploits, MacOS Stealers, Crypto Heists and More The Hacker News
Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch The Hacker News
Chinese DeepSeek-R1 AI Generates Insecure Code When Prompts Mention Tibet or Uyghurs Chinese DeepSeek-R1 AI Generates Insecure Code When Prompts Mention Tibet or Uyghurs The Hacker News
GreatXML Exploit Circumvents Windows BitLocker Security GreatXML Exploit Circumvents Windows BitLocker Security The Hacker News
Critical Docker Vulnerability Allows Host Access Critical Docker Vulnerability Allows Host Access The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Citrix Releases Patches for NetScaler Vulnerabilities
  • U.S. Ends Export Controls on Claude Fable 5 AI Model
  • Critical Apache Tomcat Security Flaws Demand Immediate Updates
  • Critical Kemp LoadMaster Flaw Risks Global Enterprise Security
  • Reflectiz and Taboola Webinar on Third-Party Security

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Citrix Releases Patches for NetScaler Vulnerabilities
  • U.S. Ends Export Controls on Claude Fable 5 AI Model
  • Critical Apache Tomcat Security Flaws Demand Immediate Updates
  • Critical Kemp LoadMaster Flaw Risks Global Enterprise Security
  • Reflectiz and Taboola Webinar on Third-Party Security

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark