Funnel Builder for WooCommerce Checkout < 3.15.0.3 Missing Authorization via AJAX

Description

Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.

Affected Products

Vendor	Product	Versions
funnel builder	funnel builder for woocommerce checkout	0

References

Related News (1 articles)

Tier C

VulDB1d ago

CVE-2026-47100 | FunnelKit Funnel Builder for WooCommerce Checkout up to 3.15.0.3 Public Checkout Endpoint authorization

→ No new info (linked only)

CVSS 3.17.5 NONE

CISA KEV✅ Yes

Actively exploited✅ Yes

Patch available

3.15.0.3

CWECWE-862

PublishedMay 19, 2026

Last enriched1d agov2

Trending Score93

Source articles1

Independent1

Info Completeness9/14

Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 1d ago

v2Tier C1d ago

Updated severity to CRITICAL and marked the vulnerability as actively exploited with an available exploit.

severityexploitAvailableactivelyExploited

via VulDB

v11d ago

Initial creation