CVE-2026-47100

Root

Cause

Funnel Builder for WooCommerce Checkout (versions prior to 3.15.0.3) contains a missing authorization vulnerability (CWE-862) in its public checkout endpoint. The endpoint allows unauthenticated HTTP requests to invoke arbitrary internal methods without any permission checks [2]. One of the reachable methods writes attacker-supplied data directly into the plugin's External Scripts global setting, which is output on every Funnel Builder checkout page [1].

Exploitation

No authentication is required; an attacker can send a crafted request to the public checkout endpoint, select the internal method that modifies the External Scripts setting, and inject a malicious `` tag [2]. Sansec has observed active exploitation where attackers insert a fake Google Tag Manager script that, on page load, decodes a base64 payload and loads an external JavaScript file from an attacker-controlled domain [1]. The script opens a WebSocket connection to a command-and-control server, enabling exfiltration of sensitive data entered during checkout.

Impact

Every visitor to the infected checkout page will execute the injected script. The observed payload is a payment skimmer that captures credit card numbers, CVV codes, and billing addresses, transmitting them to the attacker's C2 infrastructure [1]. Because the injected script sits alongside legitimate analytics tags, it can remain undetected by store administrators and casual inspection. Stores using this plugin risk full compromise of all checkout transactions until the vulnerability is patched.

Mitigation

The vendor, FunnelKit, has released version 3.15.0.3 which adds the missing capability check and restricts the public endpoint to an allow-list of safe methods [1]. All users of Funnel Builder for WooCommerce Checkout should update immediately. There are no reported workarounds for unpatched versions beyond disabling the plugin or removing the vulnerable endpoint via a custom firewall rule.