CVE-2026-47100 is a missing authorization vulnerability in Funnel Builder for WooCommerce Checkout affecting versions prior to 3.15.0.3. The flaw exists in the plugin's public checkout AJAX endpoint, where caller-controlled parameters can dispatch requests to internal methods without proper authorization checks. The endpoint also failed to sufficiently restrict which internal methods could be invoked. As a result, an unauthenticated remote attacker can reach functionality that writes arbitrary data into the plugin's global External Scripts setting. Because this setting is rendered on checkout pages, the vulnerability can be abused to persistently inject attacker-controlled JavaScript into the checkout flow for site visitors. In practice, this creates a stored client-side compromise condition that can be used to deploy payment skimmers or other malicious browser-side logic against customers using the affected checkout pages.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository is a local Docker lab plus Python PoCs for CVE-2026-47100, a missing authorization flaw in FunnelKit / Funnel Builder for WooCommerce Checkout that can lead to unauthenticated stored XSS. The repo contains two Dockerized WordPress environments: a vulnerable instance using Funnel Builder 3.15.0.2 and a patched instance using 3.15.0.3. The exploit path abuses the public WooCommerce checkout AJAX endpoint /?wc-ajax=update_order_review by embedding wfacp_input_hidden_data with action=update_global_settings_fields, causing the vulnerable plugin to update the _wfacp_global_settings option and specifically the wfacp_global_external_script key. That stored value is then rendered on the FunnelKit checkout page, producing stored XSS. Main exploit capabilities: poc/poc_lab.py is the active lab exploit. It creates a WooCommerce session, adds a product to cart, fetches the checkout page, extracts update_order_review_nonce, sends a crafted POST to ?wc-ajax=update_order_review, writes a harmless JavaScript payload into wfacp_global_external_script, and then reloads the checkout page to confirm marker rendering. poc/poc_check.py is a more generic self-test tool with passive and active modes; passive mode fingerprints FunnelKit/WooCommerce checkout pages and extracts nonce/ajax URL without modifying the target, while active mode performs the same harmless write-and-render proof and can optionally clean up the setting afterward. Repository structure: README.md documents the vulnerability, exploit chain, patch behavior, and lab usage. docker-compose.yml defines vulnerable and patched WordPress/MariaDB stacks plus initialization containers. vuln/Dockerfile and patched/Dockerfile build WordPress images and prefetch the corresponding Funnel Builder source versions. scripts/fetch-source.sh exports plugin source from the WordPress SVN repository. scripts/init-wordpress.sh installs and configures WordPress, WooCommerce, Funnel Builder, a lab product, and a FunnelKit checkout page, then resets _wfacp_global_settings. Overall, this is a real exploit lab repository rather than a fake or pure detector; however, the payload is intentionally harmless and oriented toward validation in a controlled environment.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A missing authorization vulnerability in Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts setting, enabling malicious JavaScript injection affecting checkout page visitors.
A missing authorization vulnerability in the FunnelKit Funnel Builder for WooCommerce Checkout plugin that allows unauthenticated attackers to invoke internal AJAX methods, write malicious JavaScript into global checkout settings, and persist payment-skimming code on checkout pages.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.