Full Report
A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript snippets into WooCommerce checkout pages. [...]
Analysis Summary
# Vulnerability: Unauthenticated Settings Injection in Funnel Builder for WordPress
## CVE Details
- **CVE ID**: Not currently assigned (Zero-day at time of report)
- **CVSS Score**: Estimated 9.8 (Critical)
- **CWE**: CWE-284 (Improper Access Control) / CWE-79 (Cross-Site Scripting)
## Affected Systems
- **Products**: Funnel Builder (by FunnelKit) for WordPress/WooCommerce
- **Versions**: All versions prior to 3.15.0.3
- **Configurations**: Sites with the plugin active and the checkout endpoint publicly exposed.
## Vulnerability Description
An unprotected, publicly exposed endpoint allows unauthenticated attackers to modify the plugin’s global configuration settings. Specifically, the flaw allows for the injection of arbitrary code into the “External Scripts” setting. Because these scripts are designed to load during the checkout process, the injected code is executed in the browser of every customer visiting the WooCommerce checkout page.
## Exploitation
- **Status**: Exploited in the wild (Active exploitation reported by Sansec)
- **Complexity**: Low
- **Attack Vector**: Network (Unauthenticated remote access)
## Impact
- **Confidentiality**: High (Theft of full credit card details, CVVs, and PII)
- **Integrity**: High (Unauthorized modification of plugin settings and page content)
- **Availability**: Low (The primary goal is data exfiltration rather than service disruption)
## Remediation
### Patches
- **Update to Version 3.15.0.3**: This version addresses the unprotected endpoint and prevents unauthorized settings modification. Site administrators should update immediately via the WordPress dashboard.
### Workarounds
- **Manual Audit**: If an update cannot be performed immediately, administrators must manually inspect the plugin's settings to remove malicious entries (see Detection section). Note that this does not prevent re-infection until the patch is applied.
## Detection
- **Indicators of Compromise (IoC)**:
- Presence of the script: `hxxps[://]analytics-reports[.]com/wss/jquery-lib.js`
- WebSocket connections to: `wss[://]protect-wss[.]com/ws`
- **Detection Methods**:
- **Settings Review**: Navigate to `Settings > Checkout > External Scripts` within the Funnel Builder plugin. Check for any unrecognized JavaScript or scripts disguised as Google Tag Manager or Google Analytics.
- **Network Monitoring**: Scan for outbound connections to the known malicious domains listed above.
## References
- **Vendor Advisory**: FunnelKit Security Advisory (Version 3.15.0.3 Release Notes)
- **Security Research**: hxxps[://]sansec[.]io/research/funnelkit-woocommerce-vulnerability-exploited
- **News Report**: hxxps[://]www[.]bleepingcomputer[.]com/news/security/funnel-builder-wordpress-plugin-bug-exploited-to-steal-credit-cards/