Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.
AnalysisAI
Stored cross-site scripting via missing authorization in Funnel Builder for WooCommerce Checkout (FunnelKit) plugin versions prior to 3.15.0.3 allows remote unauthenticated attackers to write arbitrary content to the plugin's External Scripts global setting through an exposed public AJAX endpoint. Injected JavaScript executes in the browser of every visitor to the WooCommerce checkout page, enabling credit card skimming, session theft, and credential harvesting. Publicly available exploit code exists and Sansec research indicates the flaw is being exploited in the wild against live e-commerce sites.
Technical ContextAI
FunnelKit's Funnel Builder is a widely deployed WordPress/WooCommerce plugin (CPE cpe:2.3:a:funnelkit:funnel_builder_for_woocommerce_checkout) used to build custom checkout funnels for online stores. The root cause is CWE-862 (Missing Authorization): the plugin's public AJAX controller (class-wfacp-ajax-controller.php) exposes internal methods through a checkout endpoint without verifying the caller's identity or capabilities (e.g., no current_user_can or nonce checks). One of the reachable methods updates the plugin's global 'External Scripts' option, which is intended to allow administrators to add tracking pixels and third-party scripts to checkout pages - making it a perfect sink for persistent JavaScript injection that loads on every customer's checkout page render.
RemediationAI
Vendor-released patch: upgrade Funnel Builder for WooCommerce Checkout to version 3.15.0.3 or later, which adds the missing authorization checks in class-wfacp-ajax-controller.php as shown in the WordPress.org changeset 3530797. Because Sansec reports active exploitation, treat upgrade as urgent and, after patching, audit the plugin's External Scripts setting (and any wfacp_* options in wp_options) for unfamiliar JavaScript, review checkout page HTML for unknown script tags, and rotate any customer payment-processing API keys that may have been exposed during the exposure window. If immediate patching is not possible, compensating controls include blocking the vulnerable AJAX action at the web server or WAF layer (deny POSTs to admin-ajax.php with the affected wfacp_* action parameter - note this will break the legitimate checkout flow until the plugin is updated), restricting access to /wp-admin/admin-ajax.php to authenticated sessions via reverse proxy (will break other anonymous AJAX consumers like cart updates), or temporarily deactivating the plugin (will disable custom checkout funnels and likely impact conversions).
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30936
GHSA-cffp-87j8-rff2