PatchSiren cyber security CVE debrief
CVE-2026-47100 FunnelKit CVE debrief
CVE-2026-47100 describes a missing-authorization flaw in Funnel Builder for WooCommerce Checkout versions before 3.15.0.3. An unauthenticated attacker can invoke internal methods through the public checkout endpoint and write arbitrary data to the plugin’s External Scripts global setting, creating a path to JavaScript injection on checkout pages.
- Vendor
- FunnelKit
- Product
- Funnel Builder for WooCommerce Checkout
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Site owners, WordPress administrators, and security teams running Funnel Builder for WooCommerce Checkout on public storefronts should treat this as urgent. Any environment exposing the affected plugin version before 3.15.0.3 may be at risk of checkout-page script injection affecting visitors.
Technical summary
The supplied CVE description and NVD metadata indicate a missing authorization weakness on a public checkout endpoint in Funnel Builder for WooCommerce Checkout prior to 3.15.0.3. The weakness is identified as CWE-862 in the source metadata. Because the endpoint is reachable without authentication, attackers can trigger internal functionality that updates the plugin’s External Scripts global setting. If malicious script content is stored there, it can execute in the browsers of checkout page visitors, which is consistent with a high-severity web injection impact. NVD lists the record as Deferred and includes references to the vendor fix in WordPress Trac, VulnCheck’s advisory, and Sansec research.
Defensive priority
High. This is unauthenticated, internet-reachable attack surface in a checkout path and can affect all visitors to impacted checkout pages until the plugin is updated and the injected setting is remediated.
Recommended defensive actions
- Update Funnel Builder for WooCommerce Checkout to version 3.15.0.3 or later as soon as possible.
- Review the plugin’s External Scripts global setting for unexpected or malicious content.
- Audit checkout-page assets and browser behavior for signs of injected JavaScript or unauthorized configuration changes.
- Check WordPress admin and application logs for unusual requests to the checkout endpoint before remediation.
- Verify all storefront instances, staging sites, and clones for affected plugin versions and inconsistent configuration drift.
Evidence notes
This debrief uses the supplied CVE description, publishedAt timestamp of 2026-05-19T15:16:32.117Z, and NVD metadata. NVD metadata classifies the issue as CWE-862 and lists references to the WordPress plugin Trac changeset for 3.15.0.3, VulnCheck’s advisory, and Sansec research. The NVD vulnStatus is Deferred in the supplied source item. No unsupported exploit details are included.
Official resources
Public disclosure context is based on the supplied CVE publishedAt timestamp of 2026-05-19T15:16:32.117Z. NVD’s modified timestamp is 2026-05-19T17:57:58.497Z, and the record is marked Deferred in the supplied source item metadata.