Another top WordPress plugin exploited — hackers target credit card details, here's what you need to know

News
By published

Funnel Builder WordPress plugin hacked to steal people's credit cards

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)
  • Hackers are exploiting a critical flaw in the Funnel Builder plugin to inject credit card skimmers into checkout pages
  • FunnelKit released a patched version, but more than half of active sites remain on older, vulnerable builds
  • Stolen payment data is being monetized through dark web sales and fraudulent ad purchases

Hackers are exploiting a critical vulnerability in a popular WordPress plugin to steal credit card information from people making online purchases.

Security researchers Sansec said they recently spotted an active campaign targeting websites running the Funnel Builder plugin, which is apparently active on more than 40,000 ecommerce websites, letting businesses create sales funnels, landing pages, optimized checkout flows, upsells, and lead-generation campaigns, all without any coding.

Sansec found it carried a critical-severity vulnerability (no CVE yet), that allows threat actors to add malicious JavaScript snippets into WooCommerce checkout pages, without authentication. According to the researchers, someone used it to add a credit card skimmer capable of exfiltrating credit card numbers, CVVs, billing addresses, and other customer information.

Latest Videos From

Patching the flaw

We don’t know how many websites have been compromised this way, or how many people lost their credit card information to the hackers - however, the data they stole is all they need to make fraudulent purchases online.

In most cases, though, they just sell it on the dark web to the highest bidder. Usually cybercriminals use stolen cards to purchase ads on reputable ad networks and promote malware that can lead to ransomware infections.

Most of the ads for malware and infostealing landing pages seen on Google are paid for with stolen credit cards and through compromised Google Ads accounts.

Since then, FunnelKit (the company behind the plugin) addressed the issue and released a new version - 3.15.0.3. All users are advised to upgrade to this version and secure their websites immediately.

At press time, the official WordPress site shows 50.3% of all websites are running older versions of Funnel Builder, meaning at least 20,000 sites are directly exposed. The remaining 49.7% are shown as running version 3.15, so we don’t know how many have patched up. Therefore, number of websites at risk could possibly be even higher.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.