Funnel Builder WordPress Plugin Vulnerability Exploited to Steal Credit Card Data

At a glance:

• Funnel Builder plugin vulnerability allows credit card data theft via malicious JavaScript injection.
• Attackers exploit unprotected WooCommerce checkout endpoints to inject skimmers targeting 40,000+ sites.
• FunnelKit patched the flaw in version 3.15.0.3, but many users remain at risk.

What Happened

The Funnel Builder plugin, a popular WooCommerce checkout customization tool developed by FunnelKit, has a critical security flaw being actively exploited. Sansec, an e-commerce security firm, discovered attackers using the vulnerability to inject malicious JavaScript into checkout pages. This malware, disguised as a fake Google Tag Manager script (analytics-reports.com/wss/jquery-lib.js), establishes a WebSocket connection to protect-wss.com/ws. The payload then modifies the plugin’s "External Scripts" setting, enabling attackers to deploy payment card skimmers that steal credit card numbers, CVVs, billing addresses, and other customer data.

The vulnerability affects all versions of Funnel Builder prior to 3.15.0.3. Attackers can exploit it without authentication, targeting the plugin’s publicly exposed checkout endpoint. Sansec’s analysis revealed the skimmer delivers customized malware tailored to each victim’s site, making detection difficult. The stolen data is often sold on dark web carding markets, enabling fraudulent purchases or identity theft.

How the Attack Works

The exploit leverages the plugin’s "External Scripts" feature, which allows administrators to add third-party code to checkout pages. Attackers inject a malicious script that mimics legitimate analytics tools, tricking users into loading it. Once executed, the script establishes a WebSocket connection to the attacker’s server, which then delivers the skimmer. The skimmer operates in real-time, capturing payment details as users complete transactions. Notably, the attacker-controlled server customizes the skimmer for each target, increasing its effectiveness. This method bypasses traditional security measures, as the script appears benign and is delivered through a trusted plugin.

The Scale of the Threat

With over 40,000 websites using Funnel Builder, the potential impact is massive. E-commerce businesses reliant on WooCommerce for online sales are particularly vulnerable. The lack of an official vulnerability identifier complicates tracking, but Sansec’s detection highlights the urgency. The attacker’s ability to deploy customized skimmers means even sites with basic security could fall victim. Additionally, the plugin’s popularity among small and medium businesses amplifies the risk, as these entities may lack dedicated security teams to monitor or patch the flaw.

Vendor Response

FunnelKit acknowledged the issue in a security advisory, stating they identified the vulnerability and released version 3.15.0.3 to address it. The advisory urges users to update the plugin immediately via the WordPress dashboard. However, Sansec notes that many administrators may not have applied the patch yet. The company also recommends reviewing the "External Scripts" settings for any unauthorized entries. Despite the patch, the delay in widespread updates leaves a significant number of sites exposed. FunnelKit’s response underscores the challenges of maintaining security in widely used plugins, where rapid adoption often outpaces patch deployment.

What Users Should Do

Website owners using Funnel Builder must prioritize updating to version 3.15.0.3. This can be done through the WordPress admin panel under Plugins > Updates. After updating, administrators should audit the "External Scripts" section in Settings > Checkout to remove any suspicious entries. Additionally, implementing a web application firewall (WAF) or monitoring tools to detect unusual WebSocket activity could mitigate risks. For sites unable to update immediately, disabling the "External Scripts" feature temporarily may reduce exposure. Proactive monitoring and user education about phishing attempts related to checkout pages are also critical to prevent further breaches.

The Bigger Picture

This incident highlights vulnerabilities in widely used WordPress plugins, which often become targets due to their large user bases. The Funnel Builder case exemplifies how even trusted tools can be weaponized if security gaps persist. It also raises questions about the responsibility of plugin developers to ensure timely patching. As e-commerce grows, such breaches could lead to stricter regulations or increased scrutiny of third-party tools. Users must remain vigilant, recognizing that no plugin is entirely immune to exploitation. The rise of automated attack tools further complicates defense, emphasizing the need for layered security strategies.