Possible. But there isn't a known vulnerability affecting Electrum as of now. If you were to verify[1] Electrum, you can eliminate the possibility of you having downloaded a malicious version. How are you loading it into the website? Can you be certain if the customer is trying to scam you by telling you they've paid and provided you with a fake TXID that sends the transaction to another address?

[1] https://bitcointalk.org/index.php?topic=5240594.0