E-commerce security company Sansec has detected a cyberattack targeting online stores running WooCommerce. Threat actors exploited a high-severity vulnerability in the WordPress Funnel Builder plugin to inject malicious JavaScript code into checkout pages. The vulnerability affects all plugin versions earlier than 3.15.0.3. At present, the plugin is actively used by more than 40,000 websites worldwide. This incident is particularly significant because it puts customers’ financial and personal information at risk of unauthorized access when they make purchases through affected online stores.
The attack was carried out by abusing the vulnerability, which allowed external attackers to modify the plugin’s global configuration through an unprotected public checkout endpoint without requiring any authentication. The attackers then injected malicious code into the plugin’s External Scripts section. This code was disguised to resemble ordinary tracking scripts such as Google Tag Manager or Google Analytics in order to evade detection by website administrators. When users visited the checkout page, the script opened a WebSocket connection to a command-and-control server to load and execute a payment card skimmer. As a result, sensitive information such as credit card numbers, CVV codes, billing addresses, and other customer details could be secretly exfiltrated to the attackers’ infrastructure. The stolen data could then be used for fraud or resold on underground markets.
For mitigation and risk reduction, FunnelKit, the plugin developer, has already released a patch for this vulnerability in version 3.15.0.3. Website owners and administrators should immediately update the plugin to the latest version through the WordPress administration dashboard. In addition to updating the plugin, administrators should perform basic security checks. They should review the plugin settings, navigate to the checkout configuration, and carefully inspect the External Scripts section to identify and remove any suspicious or unauthorized scripts. Administrators should also review server access logs for unusual requests related to the checkout endpoint. Timely updates and continuous monitoring are essential measures to help disrupt the attack chain and effectively protect customers’ transaction data.