CVE-2026-47100
published 2026-05-19CVE-2026-47100: Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows…
PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.46%
36.3th percentile
Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| funnelkit | funnel_builder_for_woocommerce_checkout | < 3.15.0.3 | 3.15.0.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cffp-87j8-rff2: Funnel Builder for WooCommerce Checkout prior to 3
ghsa_unreviewed·2026-05-19
CVE-2026-47100 [HIGH] CWE-862 GHSA-cffp-87j8-rff2: Funnel Builder for WooCommerce Checkout prior to 3
Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.
VulDB
FunnelKit Funnel Builder for WooCommerce Checkout up to 3.15.0.3 Public Checkout Endpoint authorization
vuldb·2026-05-19·CVSS 8.7
CVE-2026-47100 [HIGH] FunnelKit Funnel Builder for WooCommerce Checkout up to 3.15.0.3 Public Checkout Endpoint authorization
A vulnerability was found in FunnelKit Funnel Builder for WooCommerce Checkout up to 3.15.0.3. It has been declared as critical. This impacts an unknown function of the component Public Checkout Endpoint. The manipulation results in missing authorization.
This vulnerability is reported as CVE-2026-47100. The attack can be launched remotely. Moreover, an exploit is present.
It is recommended to upgrade the affected component.
VulnCheck
Missing Authorization
vulncheck·2026·CVSS 8.7
CVE-2026-47100 [HIGH] Missing Authorization
Missing Authorization
Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.
Affected: FunnelKit Funnel Builder for WooCommerce Checkout
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://sansec.io/research/funnelkit-woocommerce-vulnerability-exploited
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/3530797/funnel-builder/tags/3.15.0.3/modules/checkouts/includes/class-wfacp-ajax-controller.phphttps://sansec.io/research/funnelkit-woocommerce-vulnerability-exploitedhttps://www.vulncheck.com/advisories/funnel-builder-for-woocommerce-checkout-missing-authorization-via-ajaxhttps://sansec.io/research/funnelkit-woocommerce-vulnerability-exploited
2026-05-19
Published
Exploited in the wild