Bottom line: An unprotected security vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject a payment card skimmer into WooCommerce checkout pages and steal credit card data and CVV codes.
A severe security breach in the WordPress plugin Funnel Builder is currently being exploited in the wild to inject malicious JavaScript into WooCommerce checkout pages. The vulnerability can be exploited without authentication and without an official CVE identifier, affecting all plugin versions before 3.15.
The WordPress plugin Funnel Builder is developed by vendor FunnelKit and primarily serves to customize checkout pages. It features powerful functionality such as one-click upsells and specialized landing pages to increase conversion rates. According to WordPress.org, the plugin is active on over 40,000 websites.
E-commerce security company Sansec identified the malicious activity and determined that the malicious payload is delivered from analytics-reports[.]com/wss/jquery-lib. The JavaScript disguises itself as a fake Google Tag Manager or Google Analytics script and opens a WebSocket connection to an external server at wss://protect-wss[.].
The security vulnerability allows attackers to manipulate the plugin’s global settings via an unprotected, publicly accessible checkout endpoint. This leads to injection of arbitrary JavaScript into the plugin’s “External Scripts” setting, causing malicious code to execute on every checkout page.
The attacker-controlled server distributes a customized payment card skimmer that steals the following data: credit card information and CVV codes.