Funnel Builder for WooCommerce Missing Authorization Vulnerability Allows JavaScript Injection

A missing authorization vulnerability has been identified in Funnel Builder for WooCommerce Checkout, affecting versions prior to 3.15.0.3. This vulnerability exists in the public checkout endpoint, where it allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Exploitation of this vulnerability enables attackers to inject malicious JavaScript that executes in the browsers of all visitors on the checkout page.

Impact

Exploitation of this vulnerability allows for unauthorized JavaScript injection into the checkout pages of affected WooCommerce stores. This injected script can execute malicious actions in the context of the user's browser, potentially leading to theft of sensitive information such as payment details. In fact, according to Sansec, this vulnerability is currently being actively exploited, with injected scripts designed to steal customer payment data.

Remediation

FunnelKit has released a patch for this vulnerability in version 3.15.0.3. Users are advised to update to this version and review the External Scripts setting to remove any unfamiliar scripts. Additionally, running the eComscan tool can help detect any injected skimmers or malware that may have been introduced through this vulnerability.