CVE-2026-47100
Deferred Deferred - Pending Action
Funnel Builder for WooCommerce Missing Authorization Flaw

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: VulnCheck

Description
Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-47100
EUVD
EUVD-2026-30936
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
woocommerce funnel_builder to 3.15.0.3 (exc)
funnelkit funnel_builder_for_woocommerce_checkout to 3.15.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Funnel Builder for WooCommerce Checkout versions prior to 3.15.0.3. It is a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods.

Attackers can exploit this flaw to write arbitrary data to the plugin's External Scripts global setting, enabling them to inject malicious JavaScript code.

This malicious JavaScript then executes in the browsers of all visitors to the checkout page.

Impact Analysis

This vulnerability can have serious impacts as attackers can inject malicious JavaScript into the checkout pages of WooCommerce stores using the vulnerable Funnel Builder plugin.

The injected scripts execute in the browsers of all checkout page visitors, potentially leading to theft of sensitive information, session hijacking, or other malicious activities.

Since the attack requires no authentication and can be performed remotely, it poses a high risk to both store owners and customers.

Mitigation Strategies

To mitigate this vulnerability, you should update the Funnel Builder for WooCommerce Checkout plugin to version 3.15.0.3 or later, as versions prior to this contain the missing authorization vulnerability.

This update will prevent unauthenticated attackers from invoking internal methods and injecting malicious JavaScript through the External Scripts setting.

Compliance Impact

The vulnerability allows unauthenticated attackers to inject malicious JavaScript into the checkout pages of WooCommerce stores using the Funnel Builder plugin. This can lead to unauthorized data manipulation and potential exposure of sensitive customer information during the checkout process.

Such unauthorized access and potential data exposure could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to prevent unauthorized access and ensure data integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47100. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart