Back to Intelligence

WPFunnels CVE-2025-27944 Exploited: E-Skimmer Injection and Hardening Guide

SA
Security Arsenal Team
May 17, 2026
5 min read

A critical security vulnerability in the WPFunnels WordPress plugin is currently being exploited in the wild to inject malicious JavaScript (e-skimmers) into e-commerce stores. This campaign, tracked as active by Security Affairs, targets WooCommerce sites leveraging the plugin for sales funnel creation.

The vulnerability (identified as CVE-2025-27944) allows unauthenticated attackers to manipulate plugin settings or upload files, leading to the injection of Magecart-style skimmers. These scripts steal customer payment information directly from checkout pages. Given the active exploitation status and the high value of the data at risk, immediate patching and detection are mandatory for all organizations running this plugin.

Technical Analysis

Affected Product: WPFunnels (WordPress Plugin) Affected Versions: Versions prior to 3.5.4 CVE Identifier: CVE-2025-27944 CVSS Score: 9.8 (Critical)

The Vulnerability

CVE-2025-27944 is a Missing Authorization vulnerability within the plugin's AJAX handling mechanisms. Specifically, the plugin fails to properly validate user capabilities on several functions connected to wp_ajax.

Attack Chain

  1. Reconnaissance: Attackers scan for WordPress sites exhibiting the WPFunnels plugin footprint.
  2. Exploitation: The attacker sends a crafted POST request to wp-admin/admin-ajax.php, triggering a vulnerable action (e.g., wpfunnels_global_settings_update or similar endpoints). Due to missing capability checks, the server processes this request without authentication.
  3. Injection: The request updates plugin options or injects code. In this specific campaign, attackers are injecting obfuscated JavaScript into the funnel steps or footer scripts.
  4. Exfiltration: When a victim loads an infected checkout page, the e-skimmer captures credit card details (PAN, CVV, Expiry) and transmits them to the attacker's command-and-control (C2) server.

Exploitation Status

Confirmed Active Exploitation. Intelligence indicates that threat actors are already leveraging this flaw to deploy e-skimmers. This is not theoretical; active compromises are occurring.

Detection & Response

Sigma Rules

The following Sigma rules detect exploitation attempts against the vulnerable AJAX endpoint and the subsequent file modifications often associated with webshell or skimmer deployment.

YAML
---
title: WPFunnels CVE-2025-27944 Exploitation Attempt
id: 9c2f3a1b-4d8e-4f5a-9b1c-2d3e4f5a6b7c
status: experimental
description: Detects potential exploitation of WPFunnels missing authorization vulnerability via admin-ajax.php.
references:
  - https://securityaffairs.com/192260/cyber-crime/attackers-exploit-funnel-builder-bug-to-inject-e-skimmers-into-e-stores.html
author: Security Arsenal
date: 2025/02/20
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2025.27944
logsource:
  category: web
  product: apache
detection:
  selection:
    c_uri|contains: '/wp-admin/admin-ajax.php'
    cs_uri_query|contains: 'action=wpfunnels_'
  condition: selection
falsepositives:
  - Legitimate administrative updates to WPFunnels settings (verify user agent and source IP)
level: high
---
title: WordPress E-Skimmer File Modification Indicator
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects creation of suspicious JavaScript files in WordPress upload directories, a common tactic for e-skimmer persistence.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2025/02/20
tags:
  - attack.persistence
  - attack.t1505
logsource:
  category: file
detection:
  selection:
    TargetFilename|contains:
      - '/wp-content/uploads/'
    TargetFilename|endswith:
      - '.js'
  condition: selection
falsepositives:
  - Legitimate plugin or theme asset uploads
level: medium

KQL (Microsoft Sentinel)

Use this query to hunt for suspicious POST requests to the WPFunnels AJAX endpoints in your Syslog or CommonSecurityLog data.

KQL — Microsoft Sentinel / Defender
// Hunt for WPFunnels exploitation attempts
Syslog
| where Facility in ("nginx", "apache", "web")
| where SyslogMessage has_all ("POST", "admin-ajax.php", "action=wpfunnels_")
| extend RequestRaw = extract(@'POST\s+(.*?)\s+HTTP', 1, SyslogMessage)
| extend UserAgent = extract(@'User-Agent:\s+(.*?)\s*", 1, SyslogMessage)
| project TimeGenerated, ComputerIP, RequestRaw, UserAgent, SyslogMessage
| sort by TimeGenerated desc

Velociraptor VQL

This artifact hunts for recently modified JavaScript files within the wp-content directory, which may indicate skimmer injection.

VQL — Velociraptor
-- Hunt for recently modified JS files in WordPress directories
SELECT FullPath, Size, Mtime, Mode, Sys
FROM glob(globs="/**/wp-content/**/*.js")
WHERE Mtime > now() - 7d  -- Files modified in the last 7 days
  AND Size > 500          -- Avoid empty or tiny files
  AND NOT FullPath =~ "plugins/.*\.js"  -- Whitelist known plugin paths if stable
  AND NOT FullPath =~ "themes/.*\.js"

Remediation Script (Bash)

Run this script on your WordPress servers to identify if the vulnerable version is present and force an update.

Bash / Shell
#!/bin/bash

# WPFunnels CVE-2025-27944 Remediation & Audit Script
# Usage: sudo ./audit_wpfunnels.sh

echo "[+] Scanning for WPFunnels installation..."

# Define paths (adjust if WordPress is installed elsewhere)
WEB_ROOT="/var/www/html"
PLUGIN_DIR="wp-content/plugins/wpfunnels"
VULN_VERSIONS="3.5.3 3.5.2 3.5.1 3.5.0"

if [ -d "$WEB_ROOT/$PLUGIN_DIR" ]; then
    echo "[!] WPFunnels detected at $WEB_ROOT/$PLUGIN_DIR"
    
    # Check version in main file
    CURRENT_VERSION=$(grep -i "Version:" "$WEB_ROOT/$PLUGIN_DIR/wpfunnels.php" | awk -F: '{print $2}' | tr -d ' \r')
    echo "[*] Current Version: $CURRENT_VERSION"

    if [ "$CURRENT_VERSION" \< "3.5.4" ]; then
        echo "[!!!] VULNERABLE VERSION DETECTED ($CURRENT_VERSION < 3.5.4)"
        echo "[+] Attempting to update via WP-CLI..."
        
        if command -v wp &> /dev/null; then
            cd "$WEB_ROOT"
            wp plugin update wpfunnels --allow-root
            echo "[+] Update completed. Please verify manually."
        else
            echo "[!] WP-CLI not found. Manual update required immediately."
            echo "    Download latest version: https://wordpress.org/plugins/wpfunnels/"
        fi
    else
        echo "[OK] Version appears patched."
    fi
else
    echo "[OK] WPFunnels not found in standard path."
fi

echo "[+] Audit complete."

Remediation

  1. Immediate Patching: Update the WPFunnels plugin to version 3.5.4 or later immediately. This version contains the patch for CVE-2025-27944.
  2. Compromise Assessment: If your site was running a vulnerable version during the active exploitation window, assume compromise. Conduct a forensic review of:
    • wp_options table for injected scripts.
    • Theme files (header.php, footer.php) for obfuscated JS.
    • wp-content/uploads/ directories for suspicious PHP or JS files.
  3. Credential Reset: If exploitation is confirmed, reset all WordPress admin credentials and database salts/keys immediately.
  4. Vendor Advisory: Refer to the official WordPress Plugin Repository for the changelog and security release notes.
  5. Web Application Firewall (WAF): Ensure your WAF rules are updated to block known signature patterns associated with admin-ajax.php actions for this plugin if patching is delayed (though patching is the only remediation).

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurewpfunnelscve-2025-27944magecart

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action