Skip to main content

Funnel Builder for WooCommerce Checkout EUVDEUVD-2026-30936

| CVE-2026-47100 HIGH
Missing Authorization (CWE-862)
2026-05-19 VulnCheck GHSA-cffp-87j8-rff2
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Updated
May 19, 2026 - 15:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 19, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
May 19, 2026 - 15:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
May 19, 2026 - 15:01 vuln.today

DescriptionCVE.org

Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.

AnalysisAI

Stored cross-site scripting via missing authorization in Funnel Builder for WooCommerce Checkout (FunnelKit) plugin versions prior to 3.15.0.3 allows remote unauthenticated attackers to write arbitrary content to the plugin's External Scripts global setting through an exposed public AJAX endpoint. Injected JavaScript executes in the browser of every visitor to the WooCommerce checkout page, enabling credit card skimming, session theft, and credential harvesting. Publicly available exploit code exists and Sansec research indicates the flaw is being exploited in the wild against live e-commerce sites.

Technical ContextAI

FunnelKit's Funnel Builder is a widely deployed WordPress/WooCommerce plugin (CPE cpe:2.3:a:funnelkit:funnel_builder_for_woocommerce_checkout) used to build custom checkout funnels for online stores. The root cause is CWE-862 (Missing Authorization): the plugin's public AJAX controller (class-wfacp-ajax-controller.php) exposes internal methods through a checkout endpoint without verifying the caller's identity or capabilities (e.g., no current_user_can or nonce checks). One of the reachable methods updates the plugin's global 'External Scripts' option, which is intended to allow administrators to add tracking pixels and third-party scripts to checkout pages - making it a perfect sink for persistent JavaScript injection that loads on every customer's checkout page render.

RemediationAI

Vendor-released patch: upgrade Funnel Builder for WooCommerce Checkout to version 3.15.0.3 or later, which adds the missing authorization checks in class-wfacp-ajax-controller.php as shown in the WordPress.org changeset 3530797. Because Sansec reports active exploitation, treat upgrade as urgent and, after patching, audit the plugin's External Scripts setting (and any wfacp_* options in wp_options) for unfamiliar JavaScript, review checkout page HTML for unknown script tags, and rotate any customer payment-processing API keys that may have been exposed during the exposure window. If immediate patching is not possible, compensating controls include blocking the vulnerable AJAX action at the web server or WAF layer (deny POSTs to admin-ajax.php with the affected wfacp_* action parameter - note this will break the legitimate checkout flow until the plugin is updated), restricting access to /wp-admin/admin-ajax.php to authenticated sessions via reverse proxy (will break other anonymous AJAX consumers like cart updates), or temporarily deactivating the plugin (will disable custom checkout funnels and likely impact conversions).

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-30936 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy