CVE-2026-47100 HIGH

CVE-2026-47100: Funnel Builder for WooCommerce Checkout < 3.15.0.3 Missing Authorization via AJAX

Vendor Funnelkit

Product Funnel Builder for WooCommerce Checkout

Weakness CWE-862 · Missing authorization

Published May 19, 2026

Last update May 19, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.

Key dates

Disclosure timeline

May 19, 2026 CVE published

May 19, 2026 Record updated

Identifiers

CVE CVE-2026-47100

CWE CWE-862

CVSS 8.7 / HIGH

Affected versions

Vendor Funnelkit

Product Funnel Builder for WooCommerce Checkout

Affected < 3.15.0.3