The Short Version

  • An actively exploited vulnerability in the Funnel Builder for WooCommerce plugin (FunnelKit) allows attackers to steal payment card data from every customer who checks out on a compromised store
  • Stolen data includes credit card numbers, CVVs, and billing addresses
  • The plugin is active on more than 40,000 WooCommerce sites
  • All versions before 3.15.0.3 are vulnerable; the patch was released May 14, 2026
  • Affected store owners likely have GDPR breach notification obligations
  • No CVE has been assigned as of publication

Every customer who completed a purchase on a WooCommerce store running an unpatched version of the FunnelKit plugin may have had their payment card number, CVV, and billing address stolen. The theft happens silently, at checkout, with no visible sign to the customer or the store owner. The plugin is active on more than 40,000 WooCommerce sites. A patch was released on May 14, 2026 in version 3.15.0.3. The exploitation was detected by Sansec, an e-commerce security company that joined your.online earlier this month.

A Compromised Server Is the Beginning. Here Is What Breach Law Requires Next.

What Was Stolen and Who Is Affected

The attack targets the checkout moment — the point at which customers enter their most sensitive financial data. On every compromised store, a hidden script captures card numbers, CVVs, billing addresses, and customer information as they are typed into the checkout form, and sends them to attacker-controlled servers in real time. The customer sees a normal checkout. The store owner sees a completed order. Neither has any indication that anything went wrong.

The attack is active, not theoretical. Security researchers at Sansec confirmed ongoing exploitation before the patch was available. Any store that ran an unpatched version of FunnelKit while accepting card payments should be treated as potentially compromised, and its checkout data as potentially exfiltrated.

The compromised script is disguised as a standard analytics tag — the kind that appears on virtually every e-commerce site. Standard site monitoring would not flag it. Customers have no way to detect it. The only reliable defence is keeping the plugin updated.

The Business Consequences of a Compromise

For any WooCommerce store owner whose site was running a vulnerable version:

  • GDPR and breach notification: Payment card numbers and billing addresses are personal data under GDPR and most equivalent frameworks. A confirmed or suspected compromise triggers notification obligations to the relevant supervisory authority within 72 hours, and in many cases directly to affected customers. Failure to notify carries its own regulatory exposure, separate from the breach itself.
  • Payment processor consequences: Card schemes (Visa, Mastercard) impose fines on merchants whose infrastructure is found to have leaked card data, and may require a forensic audit. Chargeback rates on cards stolen through skimming typically spike weeks after the initial compromise, when stolen cards begin to be used fraudulently.
  • Reputational exposure: Payment card theft is one of the most damaging events for customer trust in e-commerce. Disclosure, whether voluntary or forced by regulators, has direct commercial consequences for repeat purchase rates and conversion.

What to Do Now

Update the plugin to version 3.15.0.3 immediately. The patch is available through the standard WordPress plugin update mechanism.

Updating alone is not sufficient if the store was compromised before the patch was applied. After updating, check the plugin’s External Scripts setting for any unfamiliar entries — particularly anything referencing domains not placed there intentionally. If a compromise is suspected, treat all checkout data collected during the exposure window as exfiltrated and act accordingly: assess notification obligations, contact your payment processor, and document the timeline.

For hosting providers managing multiple WooCommerce stores on behalf of clients, the scope of the check is broader. Each client site running an unpatched version of FunnelKit is an independent exposure. Managed WordPress and WooCommerce hosting providers should verify plugin versions across their customer base and notify any client whose store may have been running the vulnerable version while actively processing payments.

How the Injection Works

For those who need the technical detail: the flaw is a missing authentication check on a plugin endpoint that should only be accessible to logged-in administrators. Because the check is absent, anyone on the internet can call that endpoint and write a script into the plugin’s settings. The injected script loads on every checkout page the store serves, disguised as a Google Tag Manager tag, and silently transmits card data to attacker-controlled servers as customers type.