PatchSiren

FunnelKit CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH FunnelKit CVE published 2026-05-19

CVE-2026-47100

CVE-2026-47100 describes a missing-authorization flaw in Funnel Builder for WooCommerce Checkout versions before 3.15.0.3. An unauthenticated attacker can invoke internal methods through the public checkout endpoint and write arbitrary data to the plugin’s External Scripts global setting, creating a path to JavaScript injection on checkout pages.