Description
Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.
Published: 2026-05-19
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization flaw in the public checkout AJAX endpoint of Funnel Builder for WooCommerce Checkout allows an unauthenticated attacker to call internal methods and write arbitrary data into the plugin's External Scripts global setting. By injecting malicious JavaScript into this setting, the attacker can make the script execute in the browsers of every visitor to the checkout page, potentially stealing credentials, defacing the site, or delivering phishing payloads. The flaw is a classic example of CWE‑862, where access control checks are omitted for a privileged operation.

Affected Systems

The vulnerability affects installations of Funnel Builder for WooCommerce Checkout from FunnelKit that are running any version earlier than 3.15.0.3. No other products or vendors are listed as affected.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and although the EPSS score is not available, the public nature of the flaw and the lack of authentication requirements suggest a high likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalog, but its impact on all checkout page visitors makes it a critical issue. Attackers can trigger the flaw simply by sending a crafted AJAX request to the public endpoint, after which any visitor’s browser will run the injected script.

Generated by OpenCVE AI on May 19, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Funnel Builder for WooCommerce Checkout to version 3.15.0.3 or later, which removes the missing authorization check.
  • If an upgrade cannot be applied immediately, clear the External Scripts setting or enforce a sanitization routine that strips or refuses non‑trusted scripts.
  • Implement a strong Content Security Policy that disallows inline and external scripts from untrusted origins, mitigating the damage if the flaw is still present.
  • Restrict access to the checkout AJAX endpoint to authenticated administrators only, for example by adding a check for logged‑in status or by blocking the endpoint for anonymous users via web‑server configuration.

Generated by OpenCVE AI on May 19, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.
Title Funnel Builder for WooCommerce Checkout < 3.15.0.3 Missing Authorization via AJAX
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-19T14:39:08.304Z

Reserved: 2026-05-18T19:22:26.747Z

Link: CVE-2026-47100

cve-icon Vulnrichment

Updated: 2026-05-19T14:38:57.436Z

cve-icon NVD

Status : Received

Published: 2026-05-19T15:16:32.117

Modified: 2026-05-19T16:16:22.273

Link: CVE-2026-47100

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:30:08Z

Weaknesses