A critical security vulnerability in the Funnel Builder plugin for WordPress is under active exploitation, and attackers are using it to inject malicious JavaScript code into WooCommerce checkout pages to steal customer payment data.
The Funnel Builder plugin vulnerability exploited affects all versions of the plugin before 3.15.0.3, and the plugin is used in more than 40,000 WooCommerce stores according to WordPress statistics.
Dutch e-commerce security company Sansec published details of the Funnel Builder plugin vulnerability exploited this week, and the flaw currently does not have an official CVE identifier, but attackers are actively using it in the wild.
FunnelKit which maintains Funnel Builder has released a patch for the vulnerability in version 3.15.0.3, and all WooCommerce store owners using Funnel Builder should update immediately.
What Is Funnel Builder?
Funnel Builder is a WordPress plugin created by FunnelKit, and it helps WooCommerce store owners create optimized checkout funnels, upsells, and downsells to increase conversion rates.
The vulnerability of the Funnel Builder plugin affects how the plugin manages the ability to control which scripts run on checkout pages; therefore, attackers have found ways to exploit this vulnerability without needing to authenticate.
The plugin is popular with over 40,000 active installations, and many of those stores may still be running vulnerable versions.
How the Attack Works
The Funnel Builder plugin vulnerability exploited allows unauthenticated attackers to inject arbitrary JavaScript into every checkout page on a WooCommerce store.
Funnel Builder includes a publicly exposed checkout endpoint that allows an incoming request to choose the type of internal method to run, but older versions of the Funnel Builder plugin vulnerability exploited never checked the caller's permissions or limited which methods are allowed to be invoked.
An attacker can exploit this loophole by issuing an unauthenticated request that reaches an unspecified internal method, and this method writes attacker-controlled data directly into the plugin's global settings.
The Funnel Builder plugin vulnerability exploited then injects the attacker's code snippet into every Funnel Builder checkout page, and any customer visiting the checkout page will execute the malicious JavaScript.
The Payment Skimmer Payload
Sansec observed attackers planting fake Google Tag Manager scripts into the plugin's External Scripts setting, and the injected code looks like ordinary analytics next to the store's real tracking tags.
The Funnel Builder plugin vulnerability exploited payload masquerades as a Google Tag Manager loader, but it actually launches JavaScript hosted on a remote domain, and that JavaScript opens a WebSocket connection to the attacker's command-and-control server at wss://protect-wss[.]com/ws.
The WebSocket connection retrieves a skimmer that is tailored to the victim's storefront, and the skimmer steals credit card numbers, CVVs, billing addresses, and other personal information entered by customers at checkout.
Sansec noted that dressing skimmers up as Google Analytics or Tag Manager code is a recurring Magecart pattern, since reviewers tend to skim straight past anything that looks like a familiar tracking tag.
The Unauthenticated Nature
The Funnel Builder plugin vulnerability exploited is particularly dangerous because it requires no authentication whatsoever.
An attacker does not need a username, password, or any special privileges to exploit this vulnerability, they simply need to know the target WooCommerce store's URL, and they can send a crafted request to the exposed checkout endpoint.
The Funnel Builder plugin vulnerability exploited allows the attacker to write directly to the plugin's global settings without any permission checks, and this is a fundamental design flaw in how older versions handled internal method invocation.
Once the malicious script is written to the settings, the Funnel Builder plugin vulnerability exploited ensures that the script runs on every checkout page for every customer.
The Data Being Stolen
The Funnel Builder plugin vulnerability exploited payment skimmer is designed to steal sensitive customer information entered during checkout.
Skimming targets credit card numbers, which are captured by the skimmer when the customer enters them into a payment form.
Skimmers can often capture CVV codes (the security code on the back of most credit/debit cards) and/or your billing address (full name, street address, city, state, and ZIP code). This information can be used for identity theft or to meet the requirements of a card-not-present fraud check.
Other personal information entered at checkout may also be stolen depending on how the skimmer is configured.
The Funnel Builder plugin vulnerability exploited skimmer exfiltrates all of this data through the WebSocket connection to the attacker's C2 server.
The External Scripts Setting
The Funnel Builder plugin vulnerability exploited targets the plugin's External Scripts setting which is normally used by store owners to add legitimate tracking codes like Google Analytics, Google Tag Manager, or Facebook Pixel.
Attackers inject their malicious scripts into this same setting, and the injected code appears alongside the store's legitimate tracking tags.
A store owner reviewing the External Scripts setting might see what looks like a normal Google Tag Manager script and leave it in place, not realizing that the script is actually a payment skimmer.
Sansec advised store owners to review Settings > Checkout > External Scripts for anything that is unfamiliar and remove it immediately.
The Patch
FunnelKit released a patch for the Funnel Builder plugin vulnerability exploited in version 3.15.0.3, and all WooCommerce store owners using Funnel Builder should update to this version or later.
The patch adds proper permission checks to the exposed checkout endpoint, and it validates which internal methods can be called by unauthenticated requests.
While a patch is available to mitigate the security vulnerability of the Funnel Builder Plugin, any store that continues to run an older version of that plugin will still be subject to active exploitation.
Once a store owner has updated to the patched version of the plugin, they should also review their External Scripts setting and remove any potential malware that may have been inserted prior to installation of the patch.
The Scale of the Problem
The Funnel Builder plugin vulnerability exploited affects more than 40,000 WooCommerce stores, and this represents a significant attack surface for payment skimmer operators.
Not all of these stores are vulnerable because some may have already updated to version 3.15.0.3, but many stores especially smaller operations may not have applied the patch yet.
The Funnel Builder plugin vulnerability exploited is actively being used in attacks according to Sansec, and store owners should assume that attackers are scanning for vulnerable installations right now.
The Joomla Connection
The Funnel Builder plugin vulnerability exploited disclosure comes weeks after Sucuri detailed a separate campaign targeting Joomla websites, and that campaign uses heavily obfuscated PHP code to backdoor sites.
The Joomla backdoor contacts attacker-controlled C2 servers, receives and processes instructions, and serves spammy content to visitors and search engines without the site owner's knowledge.
Sucuri researcher Puja Srivastava explained that the script acts as a remote loader, it contacts an external server, sends information about the infected website, and waits for instructions, and the response from the remote server determines what content the infected site should serve.
This approach allows attackers to change the behavior of the compromised website at any time without modifying the local files again, and the attacker can inject spam product links, redirect visitors, or display malicious pages dynamically.
While the Joomla campaign is different from the Funnel Builder plugin vulnerability exploited, both demonstrate that content management systems remain a favorite target for attackers.
The Magecart Pattern
The Funnel Builder plugin vulnerability exploited fits the Magecart pattern perfectly, and Magecart is a term for cybercriminal groups that inject payment skimmers into e-commerce websites.
Magecart attacks have been ongoing for years, and they have targeted major platforms including Magento, WooCommerce, Shopify, and custom e-commerce sites.
The Funnel Builder plugin vulnerability exploited shows that Magecart attackers are constantly looking for new ways to inject their skimmers, and they are willing to exploit zero-day vulnerabilities in popular plugins.
Dressing skimmers as legitimate analytics code is a classic Magecart technique, and it works because security reviewers often skip over anything that looks like a familiar tracking tag.
How to Protect Your WooCommerce Store
The Funnel Builder plugin vulnerability exploited is under active attack, here is what you need to do.
1. Update Funnel Builder immediately. Install version 3.15.0.3 or later, the Funnel Builder plugin vulnerability exploited is fixed in this version, and do not delay because attackers are actively scanning.
2. Verify Your External Scripts Settings, You want to go into your WordPress Settings Admin panel and navigate to Settings -> Checkout -> External Scripts and review for any external scripts you do not recognize. If there are any scripts you do not recognize, you should remove them immediately.
3. Look For a Skimmer Domain. Check if you find wss://protect-wss[.]com/ws in the source code of your website or through the website analytics of your site to determine if criminals are using this WebSocket C2 server to access your website through the security vulnerability is present is from the recently exploited Funnel Builder Plugin.
4. Monitor For Checkout Page Issues. Use a client-side protection tool to determine whether or not any scripts have been added, and you will find them to the Checkout Page through the source code of the respective page.
5. Change Your API keys, webhook secrets and payment gateway credentials would be done if you suspect that you were hacked.
6. You may want to set up a Web Application Firewall (WAF) to prevent hackers from sending unauthenticated requests to exploit the Funnel Builder plugin vulnerability being exploited by ID theft.
Final Thoughts
The Funnel Builder plugin vulnerability exploited is a serious threat to over 40,000 WooCommerce stores, and attackers are actively using it to inject payment skimmers that steal customer credit card information.
The Funnel Builder plugin vulnerability exploited requires no authentication, it allows unauthenticated attackers to write arbitrary JavaScript to the plugin's settings, and that JavaScript runs on every checkout page.
FunnelKit released a patch in version 3.15.0.3, but many stores may not have updated yet, and every day that a store runs a vulnerable version is a day that attackers could be stealing customer payment data.
If you run a WooCommerce store with Funnel Builder, stop reading and update your plugin right now, then review your External Scripts setting, and check for any signs of compromise, because your customers' credit card numbers depend on it.
FAQ Section
What is the Funnel Builder plugin vulnerability exploited in the wild?
The Funnel Builder plugin vulnerability exploited allows unauthenticated attackers to inject arbitrary JavaScript into WooCommerce checkout pages, the flaw affects all versions before 3.15.0.3, and attackers are actively using it to deploy payment skimmers.
What method do attackers use to exploit the vulnerability in the funnel builder?
Attackers send unauthenticated requests to a publicly available checkout endpoint, which sends the request to an internal method to add attacker-controlled data to the external scripts setting for the Funnel Builder plugin, which then causes the attacker via an external script to execute malicious code on every checkout page.
What information do payment skimmers steal and how do they use it after they execute their hack on the funnel builder plugin vulnerability?
After executing their hacking of the funnel builder plugin vulnerability, the skimmer that is deployed via the funnel builder plugin steals credit card numbers, CVV, billing addresses, and other personal data entered by customers while checking out. The stolen information is exfiltrated from the infected WooCommerce store through a WebSocket connection to wss://protect-wss[.]com/ws.
How do I check if my WooCommerce store became compromised by this attack?
You can check for any suspicious external scripts by going to Settings > Checkout > External Scripts. You can look for references to wss://protect-wss[.]com/ws in your storefront source code or in the network traffic to and from your website. You can also monitor your checkout pages for any unexpected JavaScript.
Was there a patch developed for this vulnerability that was exploited in the funnel builder plugin?
Yes, a patch was released by FunnelKit in version 3.15.0.3, and all WooCommerce storeowners using the funnel builder plugin should immediately update their funnel builder plugin to version 3.15.0.3 or later, and then review their external scripts for any malicious injection.