Funnel Builder Plugin Vulnerability Exploited in WooCommerce Attacks

Severity: High (Score: 72.9)

Sources: Bleepingcomputer, sansec.io

Summary

A critical vulnerability in the Funnel Builder plugin for WooCommerce is being actively exploited, affecting over 40,000 websites. Attackers can inject malicious JavaScript into checkout pages without authentication, allowing them to steal sensitive customer payment data. The vulnerability exists in all versions prior to 3.15.0.3, which has been patched by FunnelKit. The malicious code masquerades as Google Tag Manager scripts, opening a WebSocket to an attacker-controlled server to deliver a payment skimmer. E-commerce security firm Sansec has confirmed ongoing exploitation and recommends immediate updates and scans for affected stores. Website owners are advised to check their plugin settings for unauthorized scripts. The vulnerability has not been assigned an official identifier yet. Key Points: • Funnel Builder plugin vulnerability affects over 40,000 WooCommerce sites. • Attackers inject malicious JavaScript to steal payment data via unprotected endpoints. • FunnelKit released a patch for the vulnerability; immediate updates are recommended.

Key Entities

• Data Breach (attack_type)
• Malware (attack_type)
• CWE-287 - Improper Authentication (cwe)
• Cwe-79 - Cross-site Scripting (xss) (cwe)
• CWE-862 - Missing Authorization (cwe)
• analytics-reports.com (domain)
• ecomscan.it (domain)
• protect-wss.com (domain)
• wordpress.org (domain)
• wordpress.org.in (domain)
• Magecart (malware)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1059.007 - JavaScript (mitre_attack)
• T1071.001 - Web Protocols (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• Adobe Commerce (platform)
• Magento (platform)
• Shopware (platform)
• WooCommerce (platform)
• WordPress (platform)
• Google Analytics (tool)
• Google Tag Manager (tool)