01 · The Real Story
This is a public storefront light switch that also happens to control the card skimmer
CVE-2026-47100 is a missing authorization flaw in FunnelKit's *Funnel Builder for WooCommerce Checkout* affecting all versions before 3.15.0.3. The public checkout endpoint can be reached without authentication and, per NVD and Sansec, older builds let the request invoke internal methods that write attacker-controlled data into the plugin's External Scripts global setting. Because that setting is rendered into checkout pages, an attacker can plant JavaScript that runs in every shopper's browser during payment.
The vendor-style HIGH 7.5 baseline understates reality for defenders. In a lab this is 'just' integrity impact in the browser, but in production it sits on an internet-facing payment workflow, is unauthenticated, and has active exploitation evidence tied to card-skimming behavior. That combination pushes this into CRITICAL operational priority even though it is not server-side RCE.
"Unauthenticated checkout-script injection on a live ecommerce path with active skimming reports is a drop-everything patch."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Fingerprint Funnel Builder on the storefront
Attackers use ordinary web recon tooling such as
WPScan, curl, or passive HTML/plugin fingerprinting to identify WordPress stores running Funnel Builder. The target pool is not every WordPress site; it is specifically stores using FunnelKit checkout customization and still below 3.15.0.3.Conditions required:
- Target runs WordPress with Funnel Builder installed
- Plugin version is earlier than 3.15.0.3
- Checkout functionality is reachable from the internet
Where this breaks in practice:
- Population is narrower than generic WordPress bugs because the plugin is a specific ecommerce add-on
- Some sites patch quickly or hide version clues
Detection/coverage: External scanners can usually identify the plugin family, but exact vulnerable versioning is hit-or-miss without authenticated inventory or file inspection.
STEP 02
Hit the public checkout AJAX path with curl or requests
The exploit path described by NVD and Sansec is straightforward: send an unauthenticated request to the public checkout endpoint and select an internal method that should never have been callable by anonymous users. This is not a role-abuse chain; the bug is that the endpoint trusts the caller too much.
Conditions required:
- Unauthenticated network reachability to the checkout endpoint
- Vulnerable code path still present
- No WAF rule specifically blocking the crafted request pattern
Where this breaks in practice:
- A tuned WAF or virtual patch can break the exact request shape
- Some stores place checkout behind CDN bot controls that may slow commodity exploitation
Detection/coverage: Look for anomalous POSTs to Funnel Builder/WooCommerce checkout endpoints from non-customer user agents, especially requests that alter settings rather than submit carts.
STEP 03
Write malicious JavaScript into External Scripts
Successful abuse lets the attacker persist arbitrary script content in the plugin's global settings. Sansec observed fake analytics or tag-manager style payloads used to blend in with legitimate marketing tags while loading a card skimmer from attacker-controlled infrastructure.
Conditions required:
- The vulnerable internal method can write to plugin settings
- Store operators have not already cleaned or locked the setting
Where this breaks in practice:
- Security teams that diff WordPress options or review checkout customizations may catch the change
- Some environments disallow outbound script loads via CSP, though many WooCommerce stores are permissive by design
Detection/coverage: Config-drift monitoring on WordPress options and DOM inspection of checkout pages are much better than simple vuln scanning here.
STEP 04
Skim payment data from every victim checkout session
Once the script is rendered on live checkout pages, every shopper becomes the execution vehicle. Impact is downstream browser compromise of the payment flow: card numbers, CVVs, billing details, and checkout metadata can be exfiltrated without needing server-shell access.
Conditions required:
- Store continues serving compromised checkout pages
- Customers use the affected checkout flow
- Browser-side defenses do not block the malicious script
Where this breaks in practice:
- Blast radius is tenant-local rather than internet-wide across unrelated organizations
- The bug does not directly hand over the WordPress server or database
Detection/coverage: Payment-page integrity monitoring, CSP violation reports, third-party JS inventory, and client-side skimmer detection are the most relevant controls.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | Yes. Sansec reported active exploitation on 2026-05-14, with attackers injecting fake tag-manager style scripts into WooCommerce checkout pages to steal payment data. NVD later added the Sansec research as a reference. Sources: Sansec, NVD |
|---|---|
| KEV status | Not in CISA KEV based on the current catalog view, but that is not reassuring here because third-party reporting already shows active abuse. Source: CISA KEV Catalog |
| EPSS | User-supplied EPSS is 0.00048; Tenable currently shows 0.00036. Either way, EPSS is very low and clearly lags the observed WordPress skimming activity here. Source: Tenable CVE page |
| PoC availability | I did not find a reputable public GitHub PoC in primary-source checking, but the exploit path is already described plainly enough by Sansec and NVD that a working request is likely trivial for an experienced attacker. Sources: Sansec, NVD |
| CVSS vector reality check | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N captures the lack of auth and low complexity, but it misses the payment-skimming business impact of checkout-page script injection. NVD also shows a CVSS 4.0 base of 8.7 HIGH from VulnCheck. Source: NVD |
| Affected versions | All versions before 3.15.0.3 are affected according to NVD and Sansec. Source: NVD, Sansec |
| Fixed version | 3.15.0.3 is the fix line. WordPress.org marks that release with a security hardening entry, and FunnelKit's release note on 2026-05-21 describes it as a security-focused update. Sources: WordPress plugin page, FunnelKit release notes |
| Exposure population | This is not a generic WordPress core issue, but exposure is still meaningful: WordPress.org shows 30,000+ active installs, while Sansec and downstream reporting cite 40,000+ stores using the plugin. TechRadar, citing WordPress.org stats at the time, said 50.3% were on older versions, implying roughly 20,000+ directly exposed then. Sources: WordPress plugin page, Sansec, TechRadar |
| Disclosure timeline | Active exploitation was publicly reported on 2026-05-14 by Sansec; media coverage and patch uptake followed on 2026-05-15/16; the CVE was published by NVD on 2026-05-19; FunnelKit's public release note for 3.15.0.3 is dated 2026-05-21. Sources: Sansec, NVD, FunnelKit release notes |
| Detection and scanning coverage | Traditional network scanners are weak here because the real abuse is application-layer settings tampering. Better coverage comes from authenticated plugin inventory, WordPress option/config drift checks, web logs for odd checkout endpoint POSTs, and client-side payment-page integrity monitoring. Source: Sansec |
04 · The Call
noisgate verdict.
Final Verdict
↑ UPGRADED to CRITICAL (9.1/10)
The decisive amplifier is active exploitation against an unauthenticated, internet-facing checkout endpoint. This is not a hypothetical integrity bug buried in an admin panel; it is a live payment-page tampering path that can harvest customer card data at scale from every affected store session.
HIGH Exploitability and attacker position assessment
HIGH Impact to ecommerce checkout integrity and customer payment data
MEDIUM Exact remaining exposed population after patch release
Why this verdict
- Upgraded for active exploitation: Sansec reported real-world skimming activity, which overrides the comfort you might otherwise take from the low EPSS and lack of KEV listing.
- Unauthenticated remote on a public path: no prior foothold, no account, and no victim interaction are required to plant the malicious checkout script.
- Checkout blast radius is business-critical: compromise lands on the revenue path and can impact every shopper using the affected flow, turning one plugin bug into a payment-card incident.
Why not higher?
This is not a 10.0 class event because it does not directly yield server-side code execution, domain-wide takeover, or cross-tenant propagation. The affected population is also limited to stores running this specific plugin below 3.15.0.3, not all WordPress or all WooCommerce deployments.
Why not lower?
A downgrade would ignore the real-world context that matters most: documented exploitation and a public unauthenticated attack surface. Even though the technical primitive is 'just' stored script injection via settings abuse, on a checkout page that is operationally equivalent to a live payment-skimming incident.
05 · Compensating Control
What to do — in priority order.
- Block the vulnerable checkout request pattern — Deploy a WAF or reverse-proxy rule to deny suspicious unauthenticated POSTs to Funnel Builder/WooCommerce checkout endpoints that attempt method invocation or settings writes. Because exploitation is already reported, do this within hours, not days, to buy time for hosts you cannot patch immediately.
- Audit and purge
External Scriptsnow — Review Funnel Builder's checkout-related script settings for unknown analytics/tag-manager snippets, encoded loaders, or new third-party domains, then remove anything unauthorized. Do this within hours because patching alone does not remove an already-planted skimmer. - Turn on payment-page integrity monitoring — Add or tighten CSP reporting, client-side script inventory checks, and alerting for new JavaScript on checkout pages. Deploy this within 3 days at minimum so future script drift is caught even if another plugin or admin path is abused.
- Hunt for anomalous checkout endpoint traffic — Search web and CDN logs for unusual POSTs to Funnel Builder/WooCommerce checkout endpoints from bots, scanners, or non-customer user agents, especially around 2026-05-14 onward when active abuse was publicly reported. Start within hours so you can triage likely-compromised stores before fraud reports arrive.
What doesn't work
- Relying on MFA for WordPress admins does not stop this bug because the exploit path is explicitly unauthenticated.
- A generic EDR agent on the web server is weak coverage for browser-side skimming injected through application settings; the payload executes in customer browsers, not necessarily as a noisy server process.
- Patching only is not enough if the store was already hit; the malicious script can remain in settings after the vulnerable code is removed.
06 · Verification
Crowdsourced verification payload.
Run this on the target WordPress host or inside the web container with read access to the site files. Invoke it as bash check_funnelkit_cve_2026_47100.sh /var/www/html and use a user that can read wp-content/plugins; root is not required unless file permissions are restrictive.
#!/usr/bin/env bash
# check_funnelkit_cve_2026_47100.sh
# Detects whether Funnel Builder for WooCommerce Checkout is below 3.15.0.3
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
set -euo pipefail
TARGET_VERSION="3.15.0.3"
WP_ROOT="${1:-}"
if [[ -z "$WP_ROOT" ]]; then
echo "UNKNOWN: usage: $0 /path/to/wordpress"
exit 2
fi
PLUGIN_FILE="$WP_ROOT/wp-content/plugins/funnel-builder/funnel-builder.php"
README_FILE="$WP_ROOT/wp-content/plugins/funnel-builder/readme.txt"
if [[ ! -f "$PLUGIN_FILE" ]]; then
echo "UNKNOWN: Funnel Builder plugin file not found at $PLUGIN_FILE"
exit 2
fi
get_version() {
local file="$1"
if [[ -f "$file" ]]; then
grep -E '^\s*Version:' "$file" | head -n1 | sed -E 's/^\s*Version:\s*//'
fi
}
VERSION="$(get_version "$PLUGIN_FILE" || true)"
if [[ -z "$VERSION" && -f "$README_FILE" ]]; then
VERSION="$(grep -E '^\s*Stable tag:' "$README_FILE" | head -n1 | sed -E 's/^\s*Stable tag:\s*//')"
fi
if [[ -z "$VERSION" ]]; then
echo "UNKNOWN: could not determine installed Funnel Builder version"
exit 2
fi
version_lt() {
local a="$1"
local b="$2"
[[ "$a" != "$b" && "$(printf '%s\n%s\n' "$a" "$b" | sort -V | head -n1)" == "$a" ]]
}
STATUS="PATCHED"
EXITCODE=0
if version_lt "$VERSION" "$TARGET_VERSION"; then
STATUS="VULNERABLE"
EXITCODE=1
fi
# Optional lightweight artifact check if wp-cli is available.
SUSPICIOUS_NOTE=""
if command -v wp >/dev/null 2>&1 && [[ -f "$WP_ROOT/wp-config.php" ]]; then
if wp --path="$WP_ROOT" option list --format=csv >/dev/null 2>&1; then
HITS="$(wp --path="$WP_ROOT" option list --format=csv 2>/dev/null | grep -Ei 'external.?scripts|wfacp|script' | head -n 5 || true)"
if [[ -n "$HITS" ]]; then
SUSPICIOUS_NOTE=" | NOTE: review Funnel Builder checkout/script-related options with wp-cli"
fi
fi
fi
echo "$STATUS: Funnel Builder version $VERSION (fixed in $TARGET_VERSION)$SUSPICIOUS_NOTE"
exit $EXITCODE
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning plan: treat every internet-facing WooCommerce store with Funnel Builder as an incident candidate, not just a patch candidate. Because there is active exploitation evidence, patch / mitigate immediately, within hours for exposed hosts and simultaneously inspect the plugin's
External Scripts setting plus checkout-page JavaScript for skimmer residue; do not wait for the normal noisgate mitigation SLA. For patch governance, push all affected instances to 3.15.0.3 or later immediately, and for any stragglers you cannot fix the same day, force temporary request-blocking and checkout integrity monitoring while you burn down the remaining estate; the outside limit from the noisgate remediation SLA for a CRITICAL is ≤90 days, but this one should not be allowed to sit anywhere near that long.Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.