Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com
Actions On Cyber

Daily SMB Cyber Intelligence Brief

Weekend lookout: WooCommerce checkout skimming and Exchange email-server exploitation

What small and medium-sized businesses should look out for today.

High Saturday 16 May 2026, 20:53 UK time
Today’s look-out: E‑commerce payment skimming + email server compromise (supplier/SaaS dependency and business disruption risk)

What to look out for today

  • Online shop owners (WordPress/WooCommerce): reports of a Funnel Builder plugin flaw being actively exploited to inject malicious JavaScript into WooCommerce checkout pages to steal customer payment details.
  • Organisations running on‑prem Microsoft Exchange: Microsoft has disclosed active exploitation of a spoofing issue (CVE‑2026‑42897) affecting on‑prem Exchange Server, triggered via a crafted email.

Why this matters to smaller businesses

  • Card skimming can create immediate customer harm (fraud), chargebacks, reputational damage, and potentially regulatory headaches depending on what data is exposed.
  • Email server compromise is a common stepping stone to invoice fraud, payroll scams, account takeover, data theft and ransomware.
  • These issues are attractive to criminals because they can scale: one vulnerable plugin or server can impact many victims quickly.

Warning signs

  • For WooCommerce sites: sudden changes to the checkout page behaviour, unexpected fields, odd redirects, new scripts loading, or customer reports of fraud shortly after purchase.
  • For finance/admin teams: unexpected payment change requests, “bank details updated” emails, or pressure to pay urgently (especially if it appears to come from a real colleague or supplier).
  • For Exchange/on‑prem email: unusual sign-in activity, new mailbox rules you don’t recognise, unexplained email forwarding, or staff reporting emails “sent” that they didn’t write.

How attackers may exploit the situation

  • Checkout skimming: criminals inject malicious code into the checkout flow so customers enter card details into what looks like your normal payment journey.
  • Email server exploitation: attackers target the email platform to impersonate staff, access conversations, and pivot into payment fraud or wider network access.
  • Living-off-the-land behaviour: once inside, attackers often use legitimate admin tools and normal-looking actions, making early detection harder.

What to do today

  • If you run WordPress/WooCommerce: ask your web/IT support to immediately review your checkout for unexpected scripts and confirm the status of the Funnel Builder plugin (whether used and whether exposed). If you suspect skimming, treat it as an incident: preserve logs, contact your payment provider, and consider taking checkout temporarily offline until verified clean.
  • If you run on‑prem Exchange: confirm who is responsible for Exchange security monitoring and incident response this weekend (internal or outsourced). Ensure alerting is working and that you can reach the right person quickly.
  • For all staff (especially finance): repeat your “no last-minute bank detail changes by email” rule and require a second channel verification (known phone number, not one provided in the email).

Ask your IT provider

  • Do we have any WordPress sites using the Funnel Builder plugin, and how are we monitoring for checkout page tampering?
  • If a customer reports card fraud, what is our incident runbook (who does what, and within what time)?
  • Are we running on‑prem Exchange? If yes, what additional monitoring is in place for mailbox rule creation, unusual logins, and suspicious email activity?
  • Who is on-call this weekend if we suspect an email compromise or e-commerce skimmer?

Patch watch - only one short paragraph, and only if relevant

Two areas to prioritise with your IT support are: (1) WordPress plugin hygiene for any customer-facing shop (remove unused plugins, confirm ownership and update responsibility), and (2) on‑prem Exchange security updates and monitoring, as Microsoft has reported active exploitation of CVE‑2026‑42897. Don’t rely on “we’ll do it next week” if you are internet-exposed.

One action today

Send a short internal note today: “No supplier bank detail changes by email—verify via a known phone number,” and confirm who is on-call to handle suspected email or website payment incidents this weekend.

Related Actions On Cyber resource

CTA: Use the Actions On Cyber “Invoice fraud & payment change verification checklist” for finance and admin teams.

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.