⚠️ THREAT ALERT: Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming
The vulnerability stems from an insecure deserialization path in the Funnel Builder plugin’s checkout integration module, which injects user‑supplied parameters into the WooCommerce order processing JSON payload without proper validation or integrity checks. An attacker can craft a specially‑encoded POST request to the Funnel Builder webhook endpoint (e.g., `/wp-json/funnel-builder/v1/checkout`) that overwrites the `meta_data` fields used to store payment token references. By leveraging the plugin’s lack of nonce verification and its reliance on `wp_unslash()` followed by `json_decode()` with the `true` flag, arbitrary PHP objects can be injected, resulting in remote code execution (RCE) that subsequently hooks into the `woocommerce_payment_complete` action and replaces the legitimate `order->get_payment_method()` value with an attacker‑controlled token. This chain enables live‑card skimming at checkout, as the malicious payload silently redirects captured card details to an external C2 server while preserving the user’s purchase flow.
Preliminary analysis maps the exploitable code paths to CVE‑2024‑27631 (insecure deserialization in Funnel Builder ≤ 1.7.9) and CVE‑2024‑28312 (missing capability check on WooCommerce webhook handlers). Both CVEs were disclosed internally on 2024‑03‑15 and received a vendor patch on 2024‑04‑02, yet the fix only addressed input sanitization for the `order_id` field, leaving the `meta_data` deserialization unchecked. Exploit scripts observed in the wild demonstrate a serialized PHP object chain leveraging the `WP_User` class to spawn a reverse shell via `WP_Filesystem`, confirming RCE capability. The active exploitation campaign uses a rotating list of compromised WordPress sites, embedding the malicious funnel in ad‑network landing pages, and employs a short‑lived JWT to bypass rate limiting on the vulnerable endpoint.
Mitigation must be layered: immediately upgrade to Funnel Builder 1.8.2 or later, which implements strict schema validation with `wp_json_encode` and enforces `current_user_can('manage_woocommerce')` checks on all webhook entry points. If upgrading is not feasible, deploy a WAF rule that blocks POST requests to `/wp-json/funnel-builder/v1/checkout` lacking a valid `X-WP-Nonce` header and inspects the request body for serialized PHP object patterns (`O:`). Additionally, enforce application‑level hardening by disabling `allow_url_fopen` and `allow_url_include`, limiting PHP's `disable_functions` to remove `exec`, `shell_exec`, and `system`, and configuring WooCommerce to require 3‑DS authentication for all card transactions. Finally, rotate all payment gateway API credentials, monitor `woocommerce_payment_complete` hooks for anomalous callbacks, and conduct a full audit of all installed Funnel Builder instances for residual backdoors.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments