The Checkout Field Manager plugin for WooCommerce allows an attacker who does not have site credentials to upload files through an Ajax endpoint named "ajax_checkout_attachment_upload." The plugin fails to verify that the requester is authorized, permitting the upload of any file type that WordPress considers safe by default, such as images and certain documents. This flaw is a classic example of CWE‑434, where input is improperly validated. Although file types are restricted, an attacker can still place malicious assets on the server, potentially facilitating further attacks such as phishing or malicious content delivery if the files are later served or executed by vulnerable components.

Any WordPress site using the Checkout Field Manager (Checkout Manager) for WooCommerce plugin by QuadLayers, on versions 7.8.1 or earlier, is affected. The vulnerability applies regardless of WooCommerce version, as long as the plugin is installed and the "ajax_checkout_attachment_upload" action remains active.

The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation events are expected to be rare, and the plugin is not currently listed in CISA’s KEV catalog. Attackers would need only HTTP access to the site’s front‑end and could trigger the vulnerable endpoint by crafting an AJAX request, without the need for authentication or privileged access. Because the upload is limited to WordPress’s default MIME types, the risk of arbitrary code execution is reduced, but the presence of uploaded files on the server can still aid in additional compromise or serve malware to site visitors.