Attack Chain

1. An unauthenticated attacker identifies the vulnerable checkout endpoint in the Funnel Builder plugin.
2. The attacker crafts a malicious HTTP request to the checkout endpoint, bypassing authorization checks.
3. This request invokes an internal method to modify plugin settings.
4. The attacker writes arbitrary data containing malicious JavaScript code to the External Scripts global setting.
5. A user visits the checkout page on the affected WooCommerce site.
6. The injected JavaScript code from the External Scripts setting executes in the user’s browser.
7. The malicious JavaScript performs actions such as stealing payment information, redirecting the user to a phishing site, or defacing the page.
8. The attacker gains access to sensitive user data or compromises the integrity of the checkout process.

Impact

Successful exploitation of this vulnerability allows an attacker to inject malicious JavaScript into the checkout pages of WooCommerce stores using the Funnel Builder plugin. This could lead to the theft of customer payment information, redirection to phishing sites, or defacement of the checkout page, affecting potentially all users visiting the checkout page. Given the widespread use of WooCommerce for e-commerce, a large number of stores and customers are potentially at risk.

Recommendation

• Upgrade the Funnel Builder for WooCommerce Checkout plugin to version 3.15.0.3 or later to patch CVE-2026-47100.
• Deploy the Sigma rule “Detect CVE-2026-47100 Exploitation — Funnel Builder Unauthorized Script Injection” to your SIEM to detect exploitation attempts.
• Monitor web server logs for suspicious POST requests to checkout endpoints with attempts to modify script settings, as indicated by the log source in the provided Sigma rule.