Ethical Hacking News
A critical security vulnerability in WooCommerce has been identified, allowing attackers to inject malicious JavaScript code into checkout pages. Site owners are advised to update the Funnel Builder plugin to version 3.15.0.3 and review security settings carefully to prevent this threat.
Funnel Builder for WordPress plugin has a critical security vulnerability that enables attackers to steal payment data. The vulnerability lies in the plugin's lack of permission checks and method limitations, allowing attackers to inject malicious code into the checkout process. An attacker can plant a malicious script tag on every checkout transaction, potentially stealing credit card numbers, CVVs, and other personal information. Site owners are advised to update the plugin to version 3.15.0.3, review external scripts, and keep plugins and themes up to date to prevent similar vulnerabilities.
In a recent security alert, Sansec has highlighted a critical vulnerability in the popular e-commerce plugin Funnel Builder for WordPress. The vulnerability, which is currently under active exploitation, enables attackers to inject malicious JavaScript code into WooCommerce checkout pages with the goal of stealing payment data.
According to Sansec, the flaw lies in the fact that older versions of the Funnel Builder plugin do not check the caller's permissions or limit which methods are allowed to be invoked. This allows an attacker to issue an unauthenticated request that can reach an unspecified internal method, which then writes attacker-controlled data directly into the plugin's global settings.
As a result, an attacker could plant a malicious
