A significant security vulnerability affecting the Funnel Builder plugin for WordPress has been identified and is currently under active exploitation. This flaw allows attackers to inject malicious JavaScript into WooCommerce checkout pages, with the intent of stealing sensitive payment data.
Details of the Vulnerability
According to a report from Sansec, the vulnerability affects all versions of the Funnel Builder plugin prior to 3.15.0.3. It is utilized in over 40,000 WooCommerce stores. The flaw enables unauthenticated attackers to inject arbitrary JavaScript into every checkout page of the affected stores.
Mechanism of Attack
The exploitation occurs through the plugin’s ‘External Scripts’ setting, where attackers can insert fake Google Tag Manager scripts. These scripts appear similar to legitimate analytics tags but are designed to load a payment skimmer that captures credit card numbers, CVVs, and billing addresses during the checkout process.
Sansec noted that the Funnel Builder has a publicly accessible checkout endpoint that does not verify caller permissions or restrict which internal methods can be invoked. This oversight allows attackers to send unauthenticated requests that can execute internal methods, leading to the injection of malicious code into the plugin’s global settings. Consequently, a tag can be added to every checkout page, triggering during transactions on compromised WordPress sites.
Mitigation Steps
FunnelKit, the maintainer of Funnel Builder, has released a patch in version 3.15.0.3 to address this vulnerability. Site owners are strongly advised to update their plugins to this version and to review the ‘Settings > Checkout > External Scripts’ section for any unfamiliar entries that may have been added maliciously.
Context and Implications
This incident highlights a recurring pattern in Magecart attacks, where skimmers are disguised as familiar tracking tags to evade detection. The ongoing exploitation of this vulnerability underscores the importance of maintaining up-to-date software and vigilant monitoring of website settings.
As the situation develops, further details may emerge, but for now, the focus remains on immediate remediation through updates and careful scrutiny of external scripts.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
