A critical flaw in the Funnel Builder WordPress plugin is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages and deploy a payment card skimmer. FunnelKit has fixed the issue in version 3.15.0.3 and recommends users update immediately and inspect External Scripts for rogue code. #FunnelBuilder #FunnelKit #WooCommerce #Sansec
Keypoints
- The Funnel Builder plugin had an unauthenticated vulnerability affecting versions before 3.15.0.3.
- Attackers used the flaw to inject JavaScript through a public checkout endpoint.
- The malicious payload disguised itself as a fake Google Tag Manager or Google Analytics script.
- The injected code opened a WebSocket connection and delivered a payment card skimmer.
- FunnelKit released a fix and urged site owners to update and check External Scripts for rogue entries.