So, your online store is humming along. Sales are good. You’re feeling that sweet, sweet e-commerce glow. Then, bam. Did you know a bug in a popular WordPress plugin could be quietly siphoning off your customers’ credit card data? Surprise!
The Silent Siphon
It turns out, the Funnel Builder plugin for WordPress, a tool many use to jazz up their WooCommerce checkout experience, had a rather significant hole. We’re not talking about a little draft; this was more like a gaping maw. Apparently, this flaw, which doesn’t even have a fancy CVE number yet (because why bother?), allows unauthenticated attackers to inject nasty JavaScript. What does that mean? It means your customers’ sensitive payment information might be heading straight into the hands of criminals. All this, from a plugin active on over 40,000 websites. Nice.
How the Sausage Gets Stolen
Sansec, a security outfit that clearly enjoys its gloom-and-doom, spotted the dirty work. Attackers weren’t just messing around; they were disguised. Their malicious payload pretended to be legitimate Google Tag Manager or Google Analytics scripts. Sneaky. But it wasn’t just for show; it opened a WebSocket connection to an external server. From there, they could mess with the plugin’s global settings, specifically the “External Scripts” section. Think of it as leaving the keys to your vault in the mailbox. Any JavaScript they wanted, injected right onto every single checkout page. And the prize? A custom-built payment card skimmer, ready to snag credit card numbers, CVVs, billing addresses, and whatever else it could grab.
According to Sansec, the attacker-controlled server delivers a customized payment card skimmer that steals the following information: Credit card numbers, CVVs, Billing addresses, Other customer information.
The Unfortunate Reality for E-commerce
This isn’t just theoretical nastiness. These stolen records are the bread and butter for dark web carding markets. Fraudulent purchases? Check. Bulk sales of compromised data? You bet. It’s the digital equivalent of a smash-and-grab, but far less messy for the perpetrators.
A Patch Arrives, But Is It Enough?
FunnelKit, the creators of the plugin, finally got around to patching this mess. Version 3.15.0.3 dropped yesterday. They acknowledged the issue, calling it an “issue that allowed bad actors to inject scripts.” Understated, wouldn’t you say? Their advice? Update. Immediately. And while you’re at it, poke around your Settings > Checkout > External Scripts to see if any digital squatters have moved in.
But here’s the rub, and it’s a big one. While automated tools can tell you if an attacker can get in, they often fail to test how your defenses hold up against specific threats. This kind of vulnerability exploitation — slipping in under the guise of legitimate functionality — is precisely the kind of thing basic scans miss. It requires a deeper look, a suspicion that the tools you trust might be, well, compromised. This incident isn’t just about a single bug; it’s a stark reminder that even seemingly innocent plugins can become vectors for significant damage. The real threat isn’t just the code; it’s the trust we place in the ecosystem, a trust that’s proving increasingly fragile.
