An ongoing exploitation of a critical vulnerability in the Funnel Builder plugin for WordPress has been identified, allowing malicious actors to inject harmful JavaScript code into WooCommerce checkout pages.
This flaw, present in all versions of the Funnel Builder plugin before 3.15.0.3, does not require authentication for exploitation.
Funnel Builder, developed by FunnelKit, is a popular WordPress plugin used to customize checkout pages for WooCommerce. It offers features such as one-click upsells, landing pages, and tools to enhance conversion rates.
With over 40,000 active installations according to WordPress.org data, Funnel Builder is a widely utilized plugin in the e-commerce space.
Security researchers at Sansec have observed the exploitation in action, noting that the malicious payload masquerades as a fake Google Tag Manager/Google Analytics script. It establishes a WebSocket connection to an external location (wss://protect-wss[.]com/ws) while being disguised as analytics-reports[.]com/wss/jquery-lib.js.
The vulnerability allows attackers to alter the plugin’s global settings via an exposed checkout endpoint, enabling them to insert arbitrary JavaScript into the “External Scripts” setting. This results in the execution of malicious code on every checkout page.
Sansec has identified that the attacker-controlled server deploys a customized payment card skimmer, capable of stealing sensitive information including credit card numbers, CVVs, billing addresses, and other customer data.
Payment card skimmers empower threat actors to conduct fraudulent online transactions, with stolen data often being sold on dark web platforms known as carding markets.
The security vulnerability in Funnel Builder has been addressed in the latest version 3.15.0.3 released by FunnelKit.
In a security advisory, FunnelKit acknowledged the issue, stating that “we identified an issue that allowed bad actors to inject scripts.”
Website owners and administrators are advised to promptly update to the newest version of the plugin through the WordPress dashboard. Additionally, they should review the “Settings > Checkout > External Scripts” section for any potentially malicious scripts added by attackers.
Automated pentesting tools offer valuable insights but are designed to test network traversal capabilities rather than the effectiveness of your security controls, detection mechanisms, or cloud configurations.
Discover the 6 critical areas that require validation to secure your online presence.
Download Now
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
