What Happened
Between early December 2024 and January 16, 2025, attackers exploited a critical vulnerability in FunnelKit's Funnel Builder plugin to inject malicious JavaScript into WooCommerce checkout pages. This flaw affected all versions before 3.15.0.3, allowing attackers to inject arbitrary JavaScript into checkout pages across more than 40,000 WooCommerce stores. Security firm Sansec reported that the attack targeted payment card data during the checkout process.
The vulnerability enabled attackers to execute a web skimming attack without requiring authentication. Once exploited, the injected JavaScript captured payment information as customers entered it, transmitting the data to attacker-controlled infrastructure before the legitimate transaction completed.
Timeline
Early December 2024: Exploitation begins. Attackers identify and exploit the JavaScript injection vulnerability in Funnel Builder.
December 2024 - January 2025: Active skimming campaign across affected stores. The vulnerability remains unpatched while attackers inject malicious code into checkout flows.
January 16, 2025: FunnelKit releases version 3.15.0.3, patching the vulnerability.
Post-patch: Sansec publishes vulnerability details after patch availability.
Which Controls Failed or Were Missing
Input Validation and Sanitization: The plugin failed to validate and sanitize user input before rendering it in the checkout page context. This oversight allowed malicious data paths from user input to browser execution.
Authentication Requirements: The vulnerability allowed unauthenticated exploitation. The plugin exposed functionality that modified checkout page behavior without requiring authenticated access.
Content Security Policy (CSP): Affected stores lacked effective CSP headers that would have prevented execution of unauthorized inline JavaScript. A properly configured CSP would have blocked the injected skimming code.
Third-Party Component Monitoring: Organizations failed to maintain visibility into plugin versions and security advisories. The delay between vulnerability introduction and patch deployment suggests inadequate monitoring of supply chain components.
Checkout Page Integrity Monitoring: Stores lacked runtime monitoring to detect unauthorized modifications to checkout page behavior. The injected JavaScript altered page functionality without triggering alerts.
What the Relevant Standards Require
PCI DSS v4.0.1 Requirement 6.4.3 mandates that all payment page scripts loaded and executed in the consumer's browser are managed to confirm authorization. You must maintain an inventory of scripts on payment pages and detect unauthorized changes using methods like Subresource Integrity (SRI) hashes or CSP with strict-dynamic.
PCI DSS v4.0.1 Requirement 11.6.1 requires detection of unauthorized changes to HTTP headers and payment page content. Automated monitoring should alert when checkout page scripts change unexpectedly.
OWASP ASVS v4.0.3 Section 5.3.3 requires contextual output encoding based on where data appears in the document. The Funnel Builder vulnerability failed to encode user-supplied data before inserting it into JavaScript execution contexts.
ISO/IEC 27001:2022 Control 8.24 (Web filtering) and Control 8.25 (Secure development lifecycle) apply. Your vendor management process should verify that plugin developers follow secure coding practices, and your web filtering should detect unauthorized external domain communications.
Lessons and Action Items for Your Team
Implement script monitoring on payment pages now. Deploy a solution that maintains cryptographic hashes of all JavaScript files on checkout pages and alerts on changes. Options include Sansec's eComscan, Jscrambler, or Feroot Security. Open-source teams can use Content-Security-Policy-Report-Only headers with report-uri directives.
Audit your plugin inventory and update process. Document every WordPress plugin, its version, and its last update date. Subscribe to security advisories for each plugin. Automate this with a tool like WPScan or Patchstack and ensure security updates deploy within 48 hours of release.
Configure Content Security Policy headers restrictively. Start with a report-only policy to identify legitimate scripts, then enforce with script-src 'self' and explicit allowlisting of required third-party domains. Avoid 'unsafe-inline' on payment pages.
Separate your plugin update testing from production. Maintain a staging environment that mirrors production. Deploy security updates to staging first, run automated tests against checkout flows, then promote to production within 24 hours for critical vulnerabilities.
Monitor outbound connections from payment pages. Configure your web application firewall or browser-based monitoring to alert when checkout pages initiate connections to unauthorized domains. This traffic pattern should trigger immediate investigation.
Review plugin authentication requirements. Ensure any plugin that modifies checkout behavior requires authenticated, authorized access. Test whether unauthenticated requests can modify payment page content and address any findings immediately.
Establish vendor security requirements. Verify that any plugin vendor maintains a security disclosure program, publishes security advisories, and provides a security contact. If not, consider alternatives.
The Funnel Builder incident highlights the importance of proactive plugin management and monitoring for e-commerce security. Your checkout pages are high-value targets. Protect them with layered security controls.
