ForumsExploitsZero-Day Skimmer Alert: Funnel Builder Flaw Hits WooCommerce Shops

Zero-Day Skimmer Alert: Funnel Builder Flaw Hits WooCommerce Shops

SCADA_Guru_Ivan 5/17/2026 USER

Hey folks,

Just caught the latest report from Sansec regarding the Funnel Builder plugin for WordPress. It looks like a zero-day vulnerability is currently being exploited in the wild to inject malicious JavaScript into WooCommerce checkout pages. The worst part? There isn't an official CVE identifier assigned yet, which makes communicating the risk to non-sec stakeholders a massive headache.

The attack chain involves threat actors compromising the plugin to insert skimmers. Since this targets the checkout flow, the impact is immediate and severe—definitely a PCI DSS nightmare waiting to happen.

If you are running this plugin, I'd suggest assuming compromise until you verify file integrity. Here is a quick snippet I use to hunt for recently modified files in plugin directories, which often flags this kind of obfuscated injection:

# Find files modified in the last 7 days within the Funnel Builder directory
find /var/www/html/wp-content/plugins/funnel-builder -type f -mtime -7 -ls

# Grep for common obfuscation patterns used in skimmers
grep -rP "base64_decode|eval\(|document\.write" /var/www/html/wp-content/plugins/funnel-builder

Given the lack of a CVE, how are you all handling the patch management conversation with clients or management? Are you disabling the plugin immediately, or waiting for an official fix from the vendor?

DN
DNS_Security_Rita5/17/2026

We're treating this as a critical incident. Even without a CVE, the Sansec IOCs are solid enough to justify action. I've pushed a rule through our WAF to block any script loading from the plugin's asset directory until the patch drops.

For those running Wordfence, you can add a manual firewall rule to block parameter injection on the funnel settings pages.

PH
PhysSec_Marcus5/17/2026

This is exactly why I advocate for CSP (Content Security Policy) on any e-commerce site. While it doesn't fix the vulnerability, a strict CSP with script-src set to 'self' and trusted domains can effectively neuter these JS skimmers by preventing the exfil payload from executing or calling home.

It's a defense-in-depth measure that pays off when zero-days like this pop up.

MA
MasterSlacker5/17/2026

From an MSP perspective, this is a nightmare. Clients usually ignore updates if they don't see a 'High Severity' banner in their dashboard. Since there is no CVE, the automated scanners aren't flagging it yet.

I'm currently running a script across all managed WordPress instances to simply disable the plugin via WP-CLI:

wp plugin deactivate funnel-builder --path=/var/www/html

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created5/17/2026
Last Active5/17/2026
Replies3
Views211