WordPress Funnel Builder Bug Exposes 40K Sites to Card Theft

A critical vulnerability in the popular Funnel Builder plugin for WordPress has put over 40,000 websites at risk, enabling attackers to steal sensitive credit card information. This flaw, affecting all versions of the plugin prior to 3.15.0.3, has been actively exploited by malicious actors who inject harmful JavaScript into WooCommerce checkout pages.

The Vulnerability

Security firm Sansec uncovered this alarming issue, revealing that the exploit allows attackers to modify the plugin’s global settings through an unsecured, publicly accessible endpoint. This enables the insertion of arbitrary JavaScript into the plugin’s 'External Scripts' setting, leading to the execution of malicious code on checkout pages.

The malicious code masquerades as a legitimate Google Tag Manager or Google Analytics script, which then opens a WebSocket connection to a rogue server. This server distributes a customized payment card skimmer, stealing critical data such as credit card numbers, CVVs, billing addresses, and other customer information.

FunnelKit's Response

FunnelKit, the developer behind the Funnel Builder plugin, has responded quickly by releasing an updated version 3.15.0.3 to address this security gap. The company has confirmed the malicious activity and urges users to update their plugins immediately through the WordPress dashboard. Additionally, administrators are advised to scrutinize their settings for any unauthorized scripts that may have been added by attackers.

This incident highlights the necessity for regular updates and vigilant monitoring of site plugins, especially those handling financial transactions.

Context

The European e-commerce market is particularly vulnerable to such threats given its reliance on WordPress plugins like Funnel Builder to enhance conversion rates. This incident echoes past vulnerabilities in e-commerce platforms that have led to significant financial losses and data breaches. With GDPR in place, European businesses face additional pressure to maintain stringent data protection standards.

What this means for you

If you're a website owner or administrator using the Funnel Builder plugin, it's imperative to update to the latest version immediately. This update not only patches the vulnerability but also helps prevent potential financial and reputational damage. Ensure to review your site settings for any suspicious scripts to mitigate further risks.

What's still unclear

While FunnelKit has patched the vulnerability, questions remain about the extent of the data breach and how many users have been affected. Additionally, it’s uncertain how many websites have yet to implement the necessary updates to protect themselves.

Why this matters

Security flaws in widely-used plugins like Funnel Builder pose significant risks to online businesses and their customers. This vulnerability underlines the importance of regular software updates and vigilant security practices to safeguard sensitive data. As the digital landscape evolves, so too must our efforts to protect it from emerging threats.