WooCommerce stores using Funnel Builder by FunnelKit need immediate attention. Attackers already exploit a critical flaw that steals customer payment details during checkout.

Update FunnelKit immediately and check your checkout scripts

Attackers actively target Funnel Builder by FunnelKit, a WooCommerce checkout and upsell plugin. The flaw lets anyone inject malicious JavaScript into checkout pages without logging in. Attackers disguise the code as a normal Google Tag Manager or Google Analytics script, then use it to steal credit card numbers, CVVs, billing addresses, and other customer data.

The vulnerability affects Funnel Builder by FunnelKit versions earlier than 3.15.0.3. Any WooCommerce store using affected versions and processing payments through FunnelKit checkout pages faces direct risk.

Update Funnel Builder by FunnelKit to version 3.15.0.3 now. Then review Settings > Checkout > External Scripts and remove any unfamiliar scripts, especially references to analytics-reports[.]com or protect-wss[.]com.


End of article