CVE-2026-47100: Funnel Builder for WooCommerce Checkout Vulnerability

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-862
CVE-2026-47100: Funnel Builder for WooCommerce Checkout Vulnerability

The National Vulnerability Database reports a critical missing authorization vulnerability, CVE-2026-47100, in the Funnel Builder for WooCommerce Checkout plugin, affecting versions prior to 3.15.0.3. This flaw allows unauthenticated attackers to exploit the public checkout endpoint, invoking internal methods and injecting arbitrary data into the plugin’s External Scripts global setting.

Attackers can leverage this to inject malicious JavaScript. This script then executes in the browsers of all visitors to the checkout page, leading to potential client-side compromises. The National Vulnerability Database assigns this a CVSS score of 7.5 (High), underscoring the severity of the unauthenticated access and high integrity impact.

This vulnerability represents a significant threat to e-commerce operations using the affected plugin. The ability to inject malicious scripts into a critical path like the checkout page can lead to data theft, session hijacking, or redirection to phishing sites, directly impacting customer trust and business continuity.

What This Means For You

  • If your organization uses the Funnel Builder for WooCommerce Checkout plugin, you need to immediately verify your version. Patch to 3.15.0.3 or higher without delay. This isn't theoretical; unauthenticated attackers can inject malicious JavaScript directly into your checkout process, compromising customer data and trust.

Indicators of Compromise

IDTypeIndicator
CVE-2026-47100 RCE Funnel Builder for WooCommerce Checkout < 3.15.0.3
CVE-2026-47100 Auth Bypass missing authorization vulnerability in public checkout endpoint
CVE-2026-47100 Code Injection inject malicious JavaScript through External Scripts global setting

Written by SCW Vulnerability Desk

🔎
Track WooCommerce Vulnerabilities Use /brief to get the latest analyst-ready threat summary, including high-severity vulnerabilities like CVE-2026-47100.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 18:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma