A severe security vulnerability within the popular Funnel Builder plugin for WordPress is currently under active exploitation, enabling threat actors to inject malicious JavaScript into WooCommerce checkout pages. This sophisticated attack aims to surreptitiously steal sensitive payment information from unsuspecting customers, posing a significant risk to online businesses utilizing the affected plugin.

The Exploitation Mechanism: From Upload to Skimming

The core of this critical flaw lies in an unauthenticated arbitrary file upload vulnerability present in earlier versions of the Funnel Builder by Themify plugin. Attackers leverage this weakness to upload malicious PHP files onto compromised WordPress sites. Once a malicious file is successfully uploaded, it grants them remote code execution capabilities.

With unauthorized control over the server, the attackers then proceed to inject JavaScript code directly into WooCommerce checkout pages. This injected script acts as a digital skimmer, intercepting and exfiltrating credit card details and other personal payment information as customers enter it during the purchase process. The stolen data is then transmitted to attacker-controlled infrastructure, often leaving no immediate trace for the e-commerce store owner until fraudulent charges appear.

Discovery and Scope of Impact

Details concerning this active exploitation campaign were brought to light by cybersecurity researchers at Sansec. While this vulnerability does not yet carry an official Common Vulnerabilities and Exposures (CVE) identifier, its real-world impact is undeniable, affecting numerous WooCommerce stores globally that have not yet updated their Funnel Builder plugin.

The Funnel Builder plugin, designed to streamline sales funnels on WordPress sites, is widely used, making the scope of potential compromise considerable. Websites running versions prior to 1.1.1 are particularly susceptible to these attacks.

Urgent Call for Action: Protecting Your E-commerce Store

Given the active nature of the exploitation, it is imperative for all website administrators using the Funnel Builder by Themify plugin to take immediate action. The primary and most critical step is to update the plugin to version 1.1.1 or higher. Themify has released a patch that addresses the underlying arbitrary file upload vulnerability, effectively closing the attack vector.

Beyond patching, e-commerce site owners should implement a multi-layered security strategy, including:

• Regular security audits and vulnerability scanning.
• Implementing a robust Web Application Firewall (WAF).
• Enabling file integrity monitoring to detect unauthorized changes.
• Educating staff on phishing and social engineering tactics.
• Regularly reviewing server logs for suspicious activity.

Summary

The active exploitation of an unpatched Funnel Builder plugin vulnerability represents a severe threat to WooCommerce stores, facilitating checkout skimming and the theft of sensitive customer payment data. This issue, initially reported by Sansec, underscores the critical importance of timely plugin updates and proactive security measures in the ever-evolving landscape of online threats. Immediate action is required to protect both businesses and their customers from financial fraud.

Resources

• Sansec - Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming
• Wordfence - Active Exploitation Of Funnel Builder by Themify Vulnerability Affects Over 10,000 Sites
• BleepingComputer - WordPress Funnel Builder Flaw Under Active Exploitation for Checkout Skimming