ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-47100 Missing Authorization in FunnelKit Funnel Builder Enables Checkout Page Skimming on 40,000+ WooCommerce Stores

A brief summary of CVE-2026-47100, a missing authorization flaw in the Funnel Builder for WooCommerce Checkout plugin that allows unauthenticated attackers to inject JavaScript skimmers into checkout pages. Active exploitation has been confirmed by Sansec researchers targeting over 40,000 WooCommerce stores.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-19

Brief Summary: CVE-2026-47100 Missing Authorization in FunnelKit Funnel Builder Enables Checkout Page Skimming on 40,000+ WooCommerce Stores
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Over 40,000 WooCommerce stores running the FunnelKit Funnel Builder plugin are exposed to a missing authorization flaw that allows unauthenticated attackers to inject JavaScript payment skimmers directly into checkout pages. Sansec researchers have confirmed active exploitation, with threat actors deploying Magecart style skimmers that harvest credit card numbers, CVVs, and billing addresses from unsuspecting shoppers.

FunnelKit's Funnel Builder is a WordPress plugin that provides checkout page customization, sales funnels, and upsell workflows for WooCommerce merchants. With more than 40,000 active installations, it occupies a significant niche in the WooCommerce ecosystem. Its deep integration with the checkout flow means that a vulnerability in this plugin has a direct path to payment data.

Technical Information

The vulnerability resides in the public AJAX endpoint handled by class-wfacp-ajax-controller.php. In versions prior to 3.15.0.3, this controller accepts incoming requests and dispatches them to internal methods based on a caller supplied parameter. The critical flaw is twofold: the endpoint performs no authorization or capability check on the caller, and it does not restrict which internal methods can be invoked.

This means any unauthenticated user can craft a request that reaches internal methods never intended to be publicly accessible. One such method is responsible for writing data into the plugin's global settings store. By targeting this method, an attacker can write arbitrary content into the "External Scripts" setting, a field whose contents are automatically rendered as HTML and JavaScript on every checkout page the plugin generates.

Attack Flow

The exploitation chain observed in the wild proceeds through the following stages:

  1. Initial injection: The attacker sends an unauthenticated AJAX request to the Funnel Builder's public checkout endpoint. The request specifies the internal method that writes to global settings and includes a malicious JavaScript payload as the data to be written into the External Scripts field.

  2. Persistence via global settings: Because the External Scripts setting is a global configuration value, the injected code persists across page loads and affects every checkout page rendered by the plugin. This is effectively a stored cross site scripting condition, but one achieved through an authorization bypass rather than a traditional input validation failure.

  3. Disguised payload delivery: The injected script is crafted to resemble a legitimate Google Tag Manager snippet. On page load, it decodes a base64 encoded string that resolves to a URL pointing to the attacker controlled domain analytics-reports[.]com, from which an external JavaScript file is fetched.

  4. WebSocket based C2: The loaded script establishes a WebSocket connection to wss://protect-wss[.]com/ws. The command and control server responds with a customized payment skimmer tailored to the target storefront's checkout form structure.

  5. Data exfiltration: The skimmer intercepts credit card numbers, CVVs, and billing addresses as shoppers complete their purchases, exfiltrating the data back to the attacker's infrastructure.

Patch Details

The changeset at revision 3530797 in the WordPress Plugin Repository shows the remediation approach. Version 3.15.0.3 adds capability checks to the endpoint and restricts callable methods to a strict allowlist of safe operations. The patch also introduces nonce verification, requiring a valid wfacp_nonce parameter before any request is processed.

CVSS Score Discrepancy

It is worth noting the scoring difference between the NVD (7.5) and VulnCheck (8.7). The NVD score likely reflects the technical characteristics of the authorization bypass in isolation, while VulnCheck's higher score may account for the downstream impact: stored script injection affecting all checkout visitors and the confirmed active exploitation enabling financial data theft.

Affected Systems and Versions

All versions of the Funnel Builder for WooCommerce Checkout plugin prior to version 3.15.0.3 are affected. The vulnerability is classified under CWE-862 (Missing Authorization).

Any WordPress site running a vulnerable version of the plugin with the checkout module active is exploitable by an unauthenticated remote attacker. No special configuration is required beyond having the plugin installed and active.

Vendor Security History

FunnelKit has a documented history of authorization and input validation issues. In September 2022, researchers disclosed vulnerabilities in WooFunnels version 2.3.0, including Session Token URL hijacking and Stored Cross Site Scripting flaws that could be used to target authenticated users. The reappearance of an authorization bypass vulnerability in the same product line suggests that the plugin's AJAX endpoint architecture may benefit from a broader security audit, particularly around how internal methods are exposed and protected.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization