"A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript snippets into WooCommerce checkout pages. The flaw has not received an official identifier and can be leveraged without authentication. It affects all versions of the plugin before 3.15.0.3. Funnel Builder is a WordPress plugin for WooCommerce Checkout developed by FunnelKit, primarily used to customize checkout pages, with features like one-click upsells, landing pages, and to optimize conversion rates."
"Sansec detected the malicious activity and noticed that the payload (analytics-reports[.]com/wss/jquery-lib.js) is disguised as a fake Google Tag Manager/Google Analytics script that opens a WebSocket connection to an external location (wss://protect-wss[.]com/ws). An attacker can exploit it to modify the plugin's global settings via an unprotected, publicly exposed checkout endpoint. This allows them to inject arbitrary JavaScript into the plugin's "External Scripts" setting, causing malicious code to execute on every checkout page."
"According to Sansec, the attacker-controlled server delivers a customized payment card skimmer that steals the following information: Credit card numbers, CVVs, Billing addresses, Other customer information. Payment card skimmers enable threat actors to make fraudulent online purchases, while stolen records often end up sold individually or in bulk on dark web portals known as carding markets."
"FunnelKit addressed the vulnerability in version 3.15.0.3 of Funnel Builder, released yesterday. A security advisory from the vendor, seen by Sansec, confirms the malicious activity, saying "we identified an issue that allowed bad actors to inject scripts." The vendor recommends that website owners and administrators prioritize updating to the latest version from the"
A vulnerability in the Funnel Builder plugin for WordPress is being exploited to inject malicious JavaScript into WooCommerce checkout pages. The flaw lacks an official identifier and can be used without authentication. All plugin versions before 3.15.0.3 are affected. Funnel Builder customizes WooCommerce checkout and supports features such as one-click upsells and landing pages. Sansec observed payload delivery disguised as a fake Google Tag Manager or Google Analytics script that opens a WebSocket connection to an external server. Attackers use a publicly exposed checkout endpoint to modify global plugin settings and inject arbitrary JavaScript into the plugin’s External Scripts setting. The injected code delivers a payment card skimmer that steals credit card numbers, CVVs, billing addresses, and other customer information. FunnelKit released version 3.15.0.3 to address the issue and advised updating to the latest version.
Read at BleepingComputer
Unable to calculate read time
Collection
[
|
...
]