Skip to main content

Funnel Builder for WooCommerce Checkout CVE-2026-47100

| EUVD-2026-30936 HIGH
Missing Authorization (CWE-862)
2026-05-19 VulnCheck GHSA-cffp-87j8-rff2
WordPress Authentication Bypass
8.7
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Updated
May 19, 2026 - 15:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 19, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
May 19, 2026 - 15:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
May 19, 2026 - 15:01 vuln.today

DescriptionNVD

Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.

AnalysisAI

Stored cross-site scripting via missing authorization in Funnel Builder for WooCommerce Checkout (FunnelKit) plugin versions prior to 3.15.0.3 allows remote unauthenticated attackers to write arbitrary content to the plugin's External Scripts global setting through an exposed public AJAX endpoint. Injected JavaScript executes in the browser of every visitor to the WooCommerce checkout page, enabling credit card skimming, session theft, and credential harvesting. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all WooCommerce installations using FunnelKit versions prior to 3.15.0.3 and assess exposure scope. Within 7 days: Deploy FunnelKit patch to version 3.15.0.3 or later across all affected instances; audit External Scripts settings and server logs for unauthorized modifications. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-7862 HIGH POC
8.6 May 28

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t
CVE-2026-8760 CRITICAL
9.8 May 27

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic
CVE-2026-42727 CRITICAL
9.3 May 27

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl
CVE-2026-42761 CRITICAL
9.3 May 27

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and

CVE-2026-8832 HIGH
8.8 May 27

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run

Share

CVE-2026-47100 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy