Active Exploitation of Funnel Builder Vulnerability
A critical security flaw in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. The attack aims to steal sensitive payment information such as credit card numbers, CVVs, and billing addresses. The vulnerability, which lacks an official identifier, affects all versions of the plugin prior to 3.15.0.3, which is used by over 40,000 online stores. Security firm Sansec identified the activity, warning that unauthenticated attackers can inject arbitrary scripts into every checkout page.
How the Attack Works
The exploit targets an exposed checkout endpoint in Funnel Builder that accepts incoming requests to execute internal methods. Older versions of the plugin did not verify caller permissions or restrict which methods could be invoked. Attackers send unauthenticated requests to reach an internal method that writes attacker controlled data into the plugin’s global settings. This allows them to insert fake Google Tag Manager scripts that load a payment skimmer. The skimmer communicates with a remote command-and-control server via a WebSocket connection to retrieve a customized payload for each victim storefront.
Impact and Mitigation
FunnelKit, the plugin maintainer, has released version 3.15.0.3 to patch the vulnerability. Store owners running Funnel Builder should update immediately to prevent unauthorized script injection. The attack demonstrates how plugins with poorly secured endpoint methods can be exploited for large scale payment data theft, especially on e commerce platforms handling financial transactions. Security experts recommend reviewing all active plugins for similar vulnerabilities and implementing strict permission checks on external script features.
Source: The Hacker News
