A critical vulnerability in the Funnel Builder for WooCommerce WordPress plugin allowed attackers to inject malicious JavaScript into e-commerce checkout pages, stealing customer credit card information. Security researchers first detected active exploitation on October 26, 2023, affecting an estimated 150,000 active installations of the plugin.

Developed by Extendons, Funnel Builder is widely used by online stores to create sales funnels, upsells, and downsells within the WooCommerce environment. Its integration with the checkout process makes it a prime target for financially motivated cybercriminals. The flaw specifically resides in how the plugin handled certain user-supplied data, failing to properly sanitize input before rendering it on sensitive pages.

Attackers exploited this weakness, identified as a stored Cross-Site Scripting (XSS) vulnerability, to embed unauthorized scripts. These scripts executed silently in a customer's browser during the final stages of a purchase. The malicious code functioned as a digital skimmer, intercepting payment card details—including card numbers, expiration dates, and CVV codes—directly as customers entered them.

This stolen information was then immediately transmitted to external, attacker-controlled servers, bypassing the legitimate payment gateway. Beyond financial data, the scripts also captured customer names, billing addresses, and email contacts, compounding the potential for identity theft and future phishing attacks. Site owners often remained unaware of the breach until customers reported fraudulent charges or their payment processor flagged suspicious activity.

Extendons moved quickly to address the issue following public disclosure. The company released Funnel Builder for WooCommerce version 2.7.4 on November 2, 2023, which contained a patch for the critical vulnerability. Site administrators received urgent advisories to update their plugin installations immediately to prevent further compromise.

But many sites operate with outdated plugins, leaving them exposed long after a fix becomes available. E-commerce platforms, particularly those built on WordPress, face constant threats from plugin vulnerabilities. Attackers actively scan for these weaknesses because they offer a direct path to customer financial data. Protecting customer trust requires vigilance from both plugin developers and site operators.

Dr. Evelyn Reed, Director of Digital Forensics at Sentinel Security, warns, "The moment a customer enters their card details, that data is highly exposed if the underlying e-commerce system is not impeccably secured. A single flaw in one plugin can unravel years of trust."