A critical, unauthenticated cross-site scripting vulnerability (CVE-2026-8181, CVSS 9.8) in the WordPress Funnel Builder plugin allows attackers to inject malicious JavaScript into WooCommerce checkout pages to steal payment data. The flaw affects all versions prior to 3.15.0.3. The vendor, FunnelKit, has released version 3.15.0.3 to address the issue and recommends immediate updating and a review of external scripts for unauthorized additions.
Vulnerability Management WordPress Funnel Builder vulnerability exploited to steal payment data May 15, 2026 Share By SC Staff A critical vulnerability in the WordPress Funnel Builder plugin is being actively exploited, allowing attackers to inject malicious JavaScript into WooCommerce checkout pages and steal customer payment information. The flaw, which affects all versions prior to 3.15.0.3, can be exploited without authentication, Bleeping Computer reports. The vulnerability in the Funnel Builder plugin, used by over 40,000 websites, allows unauthenticated attackers to modify global settings via an unprotected checkout endpoint. This enables the injection of arbitrary JavaScript into the plugin's "External Scripts" setting, leading to malicious code execution on every checkout page. Security company Sansec detected the attacks, noting that the payload disguised itself as a legitimate analytics script to establish a WebSocket connection to an attacker-controlled server. This server then delivers a payment card skimmer designed to steal credit card numbers, CVVs, billing addresses, and other customer data. FunnelKit has released version 3.15.0.3 to address the vulnerability and recommends that all users update immediately and review their external scripts for any rogue additions. Source: Bleeping Computer SC Staff Related Vulnerability Management Microsoft warns of active exploitation of new Exchange Server zero-day vulnerability SC Staff May 15, 2026 The vulnerability, a cross-site scripting flaw with a CVSS score of 8.1, specifically impacts Outlook Web Access (OWA). Vulnerability Management Critical vulnerability in Burst Statistics plugin allows admin takeover SC Staff May 15, 2026 The flaw, identified as CVE-2026-8181, was introduced in version 3.4.0 and persists in 3.4.1 of the Burst Statistics plugin, which is installed on approximately 200,000 WordPress sites. Vulnerability Management New Linux privilege escalation flaw ‘Fragnesia’ disclosed; PoC available Laura French May 15, 2026 Fragnesia is at least the fourth privilege escalation flaw affecting Linux systems disclosed in the last three weeks. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds