Active attacks are already underway, leveraging a critical flaw in the popular Funnel Builder by FunnelKit plugin to inject sneaky payment skimmers masked as ordinary marketing tools.
For online retailers, this active exploit represents a massive threat to consumer trust and financial security.
Sansec threat researchers are currently tracking active campaigns targeting Funnel Builder, a widely used checkout and upsell plugin for WordPress ecommerce environments.
The security defect affects all plugin versions before 3.15.0.3. Because user permissions were not validated, unauthenticated attackers can remotely inject arbitrary JavaScript code into every checkout page across an affected store.
The root cause of this vulnerability lies in a public checkout endpoint included within the Funnel Builder plugin. This endpoint allows incoming requests to select which internal method to execute.
Unfortunately, older releases fail to check the caller’s authorization level or restrict which methods are permitted to run. As a result, a remote attacker can reach an internal function that writes malicious data straight into the plugin’s global settings.
Whatever is set in the “External Scripts” setting is automatically printed on every checkout page, allowing the attacker to plant a persistent script that captures sensitive data on every transaction.
Cybercriminals are actively abusing this flaw to plant fake Google Tag Manager scripts into the plugin’s external script settings.
To an unsuspecting website administrator or security scanner, the injected code appears to be normal analytics tracking tags sitting right next to the store’s legitimate marketing scripts. However, this disguised code secretly loads a highly destructive payment skimmer.
FunnelKit has officially shipped a patched version of the plugin to address this critical security failure.
The patch fixes the vulnerability by adding missing capability checks and locking down the vulnerable endpoint to a strict allow list of safe methods, Sansec said.
The plugin developer is urging all customers to immediately update their FunnelKit plugins to version 3.15.0.3 or higher from the WordPress dashboard.
In addition to patching, site administrators must manually inspect their store settings. Website owners should navigate to Settings> Checkout, then check the External Scripts section to remove any unfamiliar or suspicious code.
Security experts also recommend running specialized ecommerce malware scanners to detect hidden backdoors or lingering threats that attackers may have already left behind.
Indicators of Compromise
| Indicator Type | Value |
|---|---|
| Malicious Script URL | analytics-reports[.]com/wss/jquery-lib.js |
| Command & Control (WebSocket) | wss://protect-wss[.]com/ws |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Critical FunnelKit Bug Leaves WooCommerce Stores Open To Attacks appeared first on Cyber Security News.
GTA 6 pre-orders were rumored to go live today, May 18, but it looks like…
This website uses cookies.