Critical FunnelKit vulnerability threatens 40,000+ WooCommerce checkouts
Sansec reports active exploitation of a critical Funnel Builder by FunnelKit flaw affecting WooCommerce stores, where all versions before 3.15.0.3 expose a public checkout endpoint that lets unauthenticated users invoke internal methods without capability checks or a method allow-list. The vulnerable path can reach a settings-writing method and store attacker-controlled data in the plugin’s global “External Scripts” configuration, which is then rendered on every FunnelKit checkout page. In observed attacks, adversaries inserted fake Google Tag Manager-style JavaScript that base64-decodes and loads a second-stage payload from analytics-reports[.]com, then opens a WebSocket to protect-wss[.]com to fetch a store-specific skimmer. The skimmer captures payment card numbers, CVVs, billing addresses, and other checkout data, making this a high-impact supply-side compromise for more than 40,000 WooCommerce deployments. FunnelKit patched the issue in 3.15.0.3 by adding capability checks and restricting the endpoint to safe methods.