A WordPress plugin vulnerability is being actively exploited to inject malicious code designed to steal customer credit card details directly from checkout pages. The Funnel Builder plugin contains a flaw that attackers are weaponizing against ecommerce sites, with the malware specifically targeting WooCommerce payment forms to capture sensitive financial information.
Key Takeaways
- Funnel Builder WordPress plugin contains an actively exploited vulnerability allowing code injection
- Attackers inject server-side PHP credit card skimming malware stored in the wp_options database table
- Malicious code manipulates WooCommerce checkout forms to collect names, addresses, card numbers, expiry dates, and CVV codes
- Fake forms disable autocomplete to hide the injection from browser security features
- The vulnerability has been patched, making immediate updates critical for site owners
How the WordPress plugin vulnerability attack works
The attack exploits the Funnel Builder WordPress plugin vulnerability to gain server-side access to compromised sites. Once inside, attackers install persistent PHP-based credit card skimming malware that stores itself in the dnsp_settings option within the WordPress wp_options database table. This placement keeps the malicious code hidden from casual inspection while remaining active across site restarts. The malware then targets the WooCommerce billing form, the standard payment interface on most WordPress ecommerce stores.
The attacker’s goal is straightforward: intercept payment information before it reaches legitimate payment processors. By manipulating the WooCommerce checkout page, the malware injects fake form fields that ask customers for names, addresses, credit card numbers, expiry dates, and CVV security codes. These fraudulent forms disable the browser’s autocomplete feature, preventing saved payment information from auto-filling and making the fake fields appear legitimate. Customers unknowingly submit their payment details to the attacker’s infrastructure instead of the merchant’s payment gateway.
Why this WordPress plugin vulnerability targets ecommerce specifically
Ecommerce sites represent the highest-value targets for payment data theft because they process thousands of customer transactions daily. A single compromised checkout page can expose credit card information from dozens or hundreds of customers before the breach is detected. Unlike account takeover attacks or data exfiltration that might trigger alerts, credit card skimming happens silently during normal checkout operations, making it particularly dangerous for WordPress site owners running online stores.
The malware’s focus on WooCommerce, the most widely deployed ecommerce platform on WordPress, amplifies its impact across the ecosystem. When attackers compromise a popular plugin like Funnel Builder, they gain leverage across thousands of sites simultaneously. This is why the WordPress plugin vulnerability has become such a persistent security headache for site administrators who often struggle to keep dozens of plugins updated across multiple installations.
What you should do right now
If you operate a WordPress site with an online shop, update the Funnel Builder plugin immediately. The vulnerability has been patched, and delaying updates increases the window of exposure. Beyond patching, monitor your wp_options table for suspicious entries, particularly the dnsp_settings option where this specific malware persists. Check your WooCommerce checkout page for any unexpected form fields or layout changes that might indicate injection.
Disabled autocomplete on payment forms is a red flag worth investigating. While autocomplete being disabled is not inherently malicious, it becomes suspicious when paired with unusual form behavior or unexpected database entries. If you suspect compromise, audit your recent database backups to determine when the infection began, then restore from a clean backup created before the intrusion.
Why plugin security remains WordPress’s biggest vulnerability
The Funnel Builder incident is not an isolated case. WordPress plugin vulnerabilities continue to plague the platform because the plugin ecosystem lacks centralized security vetting. Site owners must rely on developers to patch vulnerabilities quickly, but many plugins receive infrequent updates or are abandoned entirely. This creates a perpetual arms race where attackers target known flaws in popular plugins while administrators struggle to keep pace with patches.
The WordPress plugin vulnerability landscape differs fundamentally from closed-source platforms where security updates flow through a single vendor. WordPress’s distributed plugin model means that security depends on hundreds of independent developers maintaining code quality. When a major plugin like Funnel Builder is compromised, the impact cascades across thousands of sites whose owners may not even realize they’re running vulnerable code.
Is my site at risk from this WordPress plugin vulnerability?
Your site is at risk if you run the Funnel Builder plugin on a WordPress installation with WooCommerce enabled. The WordPress plugin vulnerability specifically targets ecommerce functionality, so sites without online stores face lower immediate risk. However, any WordPress site running unpatched plugins is vulnerable to some form of exploitation. Patching immediately is non-negotiable for any site handling customer data.
How can I tell if my WordPress site was compromised by this malware?
Check your WordPress database for suspicious entries in the dnsp_settings option within the wp_options table. If this option exists and you did not create it intentionally, it likely contains malicious code. Additionally, review your WooCommerce checkout page source code for unexpected form fields or JavaScript that you did not add. Look for any recent database modifications or file uploads that coincide with when the compromise may have occurred.
What makes this attack different from other WordPress plugin vulnerabilities?
Most WordPress plugin vulnerabilities expose site data or allow account takeover. This particular WordPress plugin vulnerability is designed specifically for payment data theft, making it more immediately profitable for attackers. The malware persists in the database rather than in files, which can make it harder to detect with standard file-based security scanners. This database-level persistence combined with checkout page injection creates a uniquely dangerous attack vector for ecommerce operators.
The WordPress plugin vulnerability landscape will continue to evolve as long as the ecosystem prioritizes convenience over security. Site owners cannot rely on plugin developers alone to keep their installations safe. Implement regular security audits, maintain current backups, and treat plugin updates as critical maintenance rather than optional improvements. Your customers’ payment information depends on it.
Edited by the All Things Geek team.
Source: TechRadar
