A medium severity Unauthenticated Cross Site Request Forgery (CSRF) vulnerability was discovered in the FunnelKit Payment Gateway for Stripe WooCommerce plugin, affecting versions up to 1.14.0.3. The vulnerability, tracked as CVE-2026-57635, has a CVSS score of 6.5. The issue was publicly disclosed on June 26, 2026, and the CVE record was last modified on June 29, 2026. The vulnerability allows an attacke [truncated]
CVE-2026-48966 is a HIGH severity Unauthenticated Cross Site Scripting (XSS) vulnerability in Funnel Builder by FunnelKit versions <= 3.15.0.2. The vulnerability was published on [cvePublishedAt] and modified on [cveModifiedAt]. The CVSS score is 7.1.
CVE-2026-42381 is a critical unauthenticated SQL injection vulnerability in Funnel Builder by FunnelKit versions <= 3.15.0.1. The vulnerability has a CVSS score of 9.3 and is considered critical. It was published on 2026-06-15T21:16:53.990Z and modified on 2026-06-15T21:24:32.790Z.
CVE-2026-47100 describes a missing-authorization flaw in Funnel Builder for WooCommerce Checkout versions before 3.15.0.3. An unauthenticated attacker can invoke internal methods through the public checkout endpoint and write arbitrary data to the plugin’s External Scripts global setting, creating a path to JavaScript injection on checkout pages.