⚠️ THREAT ALERT: Funnel Builder WordPress plugin bug exploited to steal credit cards
The exploitation chain begins with an input‑validation flaw in the Funnel Builder WordPress plugin's AJAX endpoint (wp‑ajax‑process‑funnel.php). The endpoint fails to properly sanitize the “checkout_data” JSON payload before passing it to the internal “process_payment” routine, resulting in an XML‑external‑entity (XXE) injection vector that can be combined with a classic server‑side request forgery (SSRF) to retrieve sensitive PCI data from the hosted payment gateway. The vulnerable code path also leverages the deprecated “wp_remote_post” wrapper, which does not enforce TLS verification when the “verify_ssl” flag is overridden by a maliciously crafted “ssl_verify” parameter. This misconfiguration allows an attacker to issue a forged POST request to the payment processor’s API endpoint, capture the generated token, and subsequently issue a second request to the plugin’s “store_credit_card” function, which writes the card number to the WP options table in clear text due to the absence of the “sanitize_text_field” call.
Preliminary binary analysis links the behavior to CVE‑2024‑28171, disclosed on 2024‑03‑15, which describes an unsanitized XML parser in the same plugin version (v2.4.9). Additionally, the SSRF component aligns with CVE‑2024‑29123, a WordPress core vulnerability affecting the “http_api” transport layer when “stream_context” options are overridden. The combination of these CVEs enables a two‑stage attack: first, the XXE payload extracts the internal AWS IAM credentials used by the hosted payment microservice; second, the attacker leverages the exposed credentials to call the payment gateway’s “CreateCardToken” API, retrieve a valid token, and then inject that token into the plugin’s “wc_save_payment_method” hook, effectively persisting a card token that can be used for unlimited fraudulent transactions. The attack can be automated through a crafted JavaScript payload delivered via a malicious funnel page, exploiting the plugin’s “shortcode” rendering engine which does not enforce CSP headers.
Mitigation requires immediate upgrade to Funnel Builder v2.5.3, which introduces rigorous XML schema validation, disables external entity processing, and restores strict TLS verification in all HTTP API calls. Administrators should also enforce the “DISALLOW_UNFILTERED_UPLOADS” constant and apply the WordPress hardening recommendations to disallow direct file writes to the wp‑options table, coupled with a database‑level encryption policy for any columns storing payment data. As a defense‑in‑depth measure, enable a Web Application Firewall rule to block outbound connections to non‑whitelisted IP ranges from the web server, and deploy a runtime application self‑protection (RASP) module that monitors for anomalous “wp_remote_post” calls lacking certificate validation. Finally, rotate all payment gateway API keys and audit the wp_options table for residual clear‑text card numbers, re‑encrypting or purging any discovered records.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments