SMB Cyber Intelligence Brief — WordPress checkout skimming risk + website credential theft themes

Today’s look-out: Website and supplier/SaaS compromise leading to payment theft and account takeover

What to look out for today

If you run a WordPress website (especially with WooCommerce): there’s reporting of active exploitation of a WordPress “funnel/builder” plugin to inject malicious code into checkout pages to steal payment card details. Separately, another widely-used WordPress builder plugin is reported to have flaws that can expose files and sensitive database information (including credentials).

Also in the background: ongoing supply-chain attack themes in popular developer tooling (a reminder that “trusted” libraries and plugins can be turned against organisations), and browser credential-handling news that reinforces the need for strong endpoint controls and password manager hygiene.

Why this matters to smaller businesses

Card payment theft is immediate and reputationally damaging: customers blame the shop they bought from, even if the issue started with a plugin.
Website credential theft can lead to full takeover: attackers can change bank details on invoices, add fake “support” chat widgets, redirect customers, or plant ongoing skimmers.
SMEs often rely on web agencies/MSPs: if you’re not close to the day-to-day of website plugins, issues can linger unnoticed.

Warning signs

Customers report fraudulent card activity soon after purchasing from your site.
New or unfamiliar JavaScript appearing on checkout pages, or unexpected changes to theme/header/footer code.
Admin accounts you don’t recognise in WordPress, WooCommerce, or your hosting control panel.
Checkout behaviour changes: extra fields, unusual redirects, or payment steps that “look slightly different”.
Sudden spikes in website errors, unfamiliar plugins installed, or security plugins disabled.

How attackers may exploit the situation

Checkout skimming: attackers inject malicious scripts to capture card details at the point of entry (often before payment is sent to your payment provider).
Database/credential exposure: flaws in site builders can allow extraction of sensitive configuration data, user records, or secrets that enable further access.
Follow-on compromise: once they have admin access, attackers may add backdoors, create hidden admin users, or pivot into email accounts to send invoice/payment-change scams.
Supply chain angle: attackers increasingly target widely-used components (plugins/libraries) so they can compromise many organisations “at once”.

What to do today

Find out if you use the affected WordPress plugins: ask whoever manages your site (internal, agency, MSP) to confirm whether Avada Builder and/or Funnel Builder are installed and where (production/staging).
Prioritise checkout integrity checks: review your checkout pages for unexpected scripts and validate that payment flows haven’t been altered.
Lock down WordPress admin access: remove unused admin accounts, enforce strong MFA where available, and restrict admin access by role and necessity.
Rotate key credentials: WordPress admin passwords, hosting panel logins, database credentials (where feasible), and any API keys exposed to the website.
Monitor transactions and customer reports: ensure someone is watching for fraud complaints and abnormal refund/chargeback patterns.

Ask your IT provider

Can you confirm whether our WordPress site uses Avada Builder and/or Funnel Builder, and whether they’re exposed on the public site?
Do we have file integrity monitoring or any alerting for unexpected changes to checkout-related files/templates?
What’s our process to quickly disable a plugin and roll back website changes if we suspect checkout skimming?
Are admin accounts reviewed monthly, and do we have MFA enforced for WordPress/hosting/email?
If we suspect a skimmer, who handles payment provider coordination, customer comms, and evidence preservation?

Patch watch - only one short paragraph, and only if relevant

If you run WordPress, treat plugin updates as business-critical for revenue sites: ask your web supplier to confirm an urgent review and updates/mitigations for the reported Avada Builder issues and the actively exploited Funnel Builder bug, and to validate checkout pages after any change. Separately, keep an eye on browser and Windows update communications in your estate (notably credential-handling and driver reliability changes) so endpoint changes don’t break business apps unexpectedly.

One action today

Get your website owner/provider to immediately confirm whether your WordPress site uses Funnel Builder or Avada Builder and perform a checkout integrity check for unexpected scripts or admin accounts.

Related Actions On Cyber resource

CTA: Use the Actions On Cyber “Website compromise & checkout skimming quick checklist” (includes: who to call, what to capture, how to validate checkout pages, and customer/payment-provider steps).

Sources

Funnel Builder WordPress plugin bug exploited to steal credit cards (BleepingComputer)
Avada Builder WordPress plugin flaws allow site credential theft (BleepingComputer)
TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates (The Hacker News)
Microsoft backpedals: Edge to stop loading passwords into memory (BleepingComputer)
Microsoft to automatically roll back faulty Windows drivers (BleepingComputer)

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.