Improper neutralization of user input during web page generation enables an attacker to inject malicious scripts that are persisted within the Custom Checkout Fields for WooCommerce plugin. The stored XSS flaw can execute in the browsers of all users who view the checkout page, potentially allowing an attacker to steal credentials, deface the site, or redirect users to malicious sites. The vulnerability is tied to CWE‑79, which describes unsafe handling of user-supplied content. Adverse effects include loss of confidentiality, integrity, and possibly availability if injected scripts interrupt checkout flows.

WPFactory Custom Checkout Fields for WooCommerce is impacted in all releases from the earliest version through and including 1.8.3. Any WordPress site that has installed this plugin version is vulnerable. If the site has applied a newer version (1.8.4 or later) the flaw is considered resolved. No additional version details are provided beyond the inclusive range. The vulnerability should be assessed against all sites that have the plugin installed within the specified range.

The CVSS score of 6.5 indicates moderate risk, and the EPSS score of less than 1% implies low current likelihood of exploitation. The flaw is not listed in CISA’s KEV catalog, suggesting no widespread publicly known exploits at this time. The likely attack vector involves an adversary who can submit data to the checkout field configuration interface—either via an administrative account, a merchant account with field‑add privileges, or a front‑end user with custom field creation rights. Once a malicious payload is stored, it will execute in the browser context of any user who accesses the checkout page. While the exploitation conditions are clear from the description, the actual vector is inferred from typical plugin operations, and may vary if an organization has restricted field editing capabilities.