Critical Unauthenticated Flaw in Funnel Builder WordPress Plugin Exploited to Inject Payment Skimmers
Funnel Builder WordPress Plugin Flaw Actively Exploited to Skim Payments from 40,000+ Stores
Impact Scope
People Affected
Customers of over 40,000 websites
Industries Affected
Related Entities
Organizations
Products & Tech
Full Report
Executive Summary
A critical unauthenticated vulnerability is being actively exploited in the Funnel Builder plugin for WordPress, impacting more than 40,000 e-commerce websites. The flaw allows attackers to inject malicious JavaScript into the checkout pages of sites using the WooCommerce platform. This injected code functions as a payment skimmer, capturing and exfiltrating sensitive customer data, including credit card numbers, CVVs, and billing information, during the checkout process. The plugin's developer, FunnelKit, has addressed the vulnerability in version 3.15.0.3 and strongly advises all users to update immediately and inspect their sites for signs of compromise.
Threat Overview
The vulnerability represents a significant threat to small and medium-sized businesses that rely on WordPress and WooCommerce for their e-commerce operations. The attack is particularly dangerous for several reasons:
- Unauthenticated Access: The attacker does not need any credentials or prior access to the WordPress dashboard to exploit the flaw.
- Stealthy Payload: The malicious code is disguised as a legitimate Google Tag Manager script, making it less likely to be noticed during a cursory inspection.
- Direct Financial Impact: The attack directly targets payment information, leading to financial fraud, chargebacks, and severe reputational damage for the affected merchants.
This type of attack, often associated with groups like Magecart, involves compromising e-commerce sites to steal payment card data, a practice known as digital skimming or e-skimming.
Technical Analysis
The root cause of the vulnerability is an insecure public-facing checkout endpoint within the Funnel Builder plugin. This endpoint fails to perform proper permission checks, allowing any unauthenticated user to interact with it.
Attack Chain
- Exploitation: An attacker sends a specially crafted, unauthenticated HTTP request to the vulnerable endpoint.
- Injection: The request triggers an internal plugin method that is responsible for saving settings. The attacker uses this to write a malicious JavaScript snippet (disguised as a Google Tag Manager script) into the plugin's "External Scripts" configuration, which is stored in the WordPress database.
- Activation: This malicious script is now globally configured to load on the website. When a customer navigates to the checkout page, the script is loaded and executed by their browser.
- Skimming: The script monitors the payment form fields. When the customer enters their credit card number, CVV, name, and address, the script captures this data.
- Exfiltration: The captured data is then sent to a remote, attacker-controlled server.
This attack leverages the T1190 - Exploit Public-Facing Application technique for initial access and T1059.007 - JavaScript for the skimming payload.
Impact Assessment
For the over 40,000 websites using a vulnerable version of the Funnel Builder plugin, the impact is severe:
- Customer Data Breach: All customers who make purchases on a compromised site are at risk of having their payment and personal information stolen.
- Financial Loss: Merchants face significant financial repercussions, including chargeback fees, fines from payment card issuers (PCI DSS non-compliance penalties), and lost revenue.
- Reputational Damage: Trust is paramount in e-commerce. A payment data breach can permanently damage a brand's reputation and drive customers away.
- Cleanup Costs: Removing the infection, notifying customers, and hardening the website against future attacks can be a costly and time-consuming process.
Cyber Observables β Hunting Hints
Security teams and website administrators should hunt for the following indicators:
file_pathwp-content/plugins/funnel-builder/url_patterng-tag-manager.com, google-tm.comstring_patterncheckout, cardnumber, cvvlog_sourceWeb Server Access LogsDetection & Response
- Check Plugin Version: The first step is to navigate to the WordPress dashboard -> Plugins and check the version of the "Funnel Builder by FunnelKit" plugin. If it is below 3.15.0.3, assume you are at risk.
- Inspect External Scripts: Go to the Funnel Builder settings and carefully examine the "External Scripts" section. Look for any scripts you did not add, especially anything that looks like a Google Tag Manager script but seems suspicious. Remove any unauthorized entries.
- Scan for Malicious Code: Use a reputable WordPress security scanner (e.g., Wordfence, Sucuri) to scan your site's files and database for malicious code and backdoors.
- Analyze Network Traffic: Use browser developer tools (Network tab) on your checkout page to see where data is being sent. Look for any POST requests to unknown or suspicious domains when you submit the payment form. This is a form of Outbound Traffic Filtering (D3-OTF).
Mitigation
- Update Immediately: The most important mitigation step is to update the Funnel Builder plugin to version 3.15.0.3 or newer. This patch removes the unauthenticated access vulnerability.
- Web Application Firewall (WAF): A properly configured WAF can help block malicious requests, but it should not be relied upon as the sole defense. It is a good implementation of Inbound Traffic Filtering (D3-ITF).
- Regular Audits: Regularly audit your WordPress plugins, themes, and user accounts. Remove any that are not necessary to reduce your attack surface.
- File Integrity Monitoring: Use a security plugin that monitors your core WordPress files for changes.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
Immediately update the Funnel Builder plugin to the patched version (3.15.0.3 or later) to remediate the vulnerability.
Mapped D3FEND Techniques:
Regularly audit WordPress plugins, themes, and configurations for unauthorized changes or suspicious scripts.
Mapped D3FEND Techniques:
Network Intrusion Prevention
Use a Web Application Firewall (WAF) to filter incoming traffic and block requests that match known attack patterns.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
The most critical and immediate action for any organization using the Funnel Builder plugin is to perform a Software Update. The vulnerability is a direct result of a code-level flaw that has been fixed by the developer, FunnelKit, in version 3.15.0.3. Delaying this update leaves the e-commerce store completely exposed to unauthenticated attackers. Administrators should navigate to their WordPress dashboard, go to the 'Plugins' section, and initiate the update for 'Funnel Builder by FunnelKit'. It is also advisable to enable automatic updates for critical plugins like this to ensure future vulnerabilities are patched promptly. Before updating a live site, best practice is to take a full backup of the site files and database. After the update is complete, verify that the checkout process and other plugin features are still functioning correctly. This single action closes the entry vector used by the attackers.
For organizations that may have been compromised before patching, System File Analysis is a crucial step in the incident response process. Since the attack involves injecting a malicious script into the plugin's settings, the malicious code is stored within the WordPress database, not just as a file on the server. Security teams or site administrators must inspect the wp_options table in their WordPress database. Look for rows related to FunnelKit or Funnel Builder settings, specifically any that store 'External Scripts'. Carefully examine the content of these fields for any JavaScript that was not added by an administrator. Look for obfuscated code or scripts loaded from suspicious, non-Google domains that mimic Google Tag Manager. A file integrity monitoring tool can also be used to check for unauthorized changes to plugin files themselves, as attackers may leave behind backdoors after the initial compromise. Removing the malicious database entry is key to eradicating the skimmer.
As a proactive and layered defense, implementing Inbound Traffic Filtering via a Web Application Firewall (WAF) can help protect against this and future similar vulnerabilities. A WAF can be configured with rules to inspect incoming HTTP requests to the WordPress site. For this specific Funnel Builder vulnerability, a custom WAF rule could be created to block unauthenticated POST requests to the plugin's vulnerable checkout endpoint. More generically, WAFs can be configured with rulesets that detect and block common web attack patterns, such as SQL injection and Cross-Site Scripting (XSS). While the attackers in this case injected their script through a settings-write vulnerability, a WAF might have detected the script payload within the request and blocked it. This provides an essential layer of protection, especially for zero-day vulnerabilities where a patch is not yet available, or for organizations that are slow to apply updates.
Sources & References
Article Author
Jason Gomes
β’ Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
π’ Share This Article
Help others stay informed about cybersecurity threats
π― MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
π§ Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
π‘οΈ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
π STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph β relationships between actors, malware, techniques, and indicators.
β‘ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.