CVE-2026-47100
Funnel Builder for WooCommerce Missing Authorization Flaw
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| woocommerce | funnel_builder | to 3.15.0.3 (exc) |
| funnelkit | funnel_builder_for_woocommerce_checkout | to 3.15.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in Funnel Builder for WooCommerce Checkout versions prior to 3.15.0.3. It is a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods.
Attackers can exploit this flaw to write arbitrary data to the plugin's External Scripts global setting, enabling them to inject malicious JavaScript code.
This malicious JavaScript then executes in the browsers of all visitors to the checkout page.
How can this vulnerability impact me? :
This vulnerability can have serious impacts as attackers can inject malicious JavaScript into the checkout pages of WooCommerce stores using the vulnerable Funnel Builder plugin.
The injected scripts execute in the browsers of all checkout page visitors, potentially leading to theft of sensitive information, session hijacking, or other malicious activities.
Since the attack requires no authentication and can be performed remotely, it poses a high risk to both store owners and customers.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Funnel Builder for WooCommerce Checkout plugin to version 3.15.0.3 or later, as versions prior to this contain the missing authorization vulnerability.
This update will prevent unauthenticated attackers from invoking internal methods and injecting malicious JavaScript through the External Scripts setting.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to inject malicious JavaScript into the checkout pages of WooCommerce stores using the Funnel Builder plugin. This can lead to unauthorized data manipulation and potential exposure of sensitive customer information during the checkout process.
Such unauthorized access and potential data exposure could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data to prevent unauthorized access and ensure data integrity.