Description
The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the `prepare_single_field_data()` method in `class-thwcfd-block-order-data.php` first escaping values with `esc_html()` then immediately reversing the escaping with `html_entity_decode()` for radio and checkboxgroup field types, combined with a permissive `wp_kses()` allowlist in `get_allowed_html()` that explicitly permits the `<select>` element with the `onchange` event handler attribute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via the Store API checkout endpoint that execute when an administrator views the order details page.
Published: 2026-03-11
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that can execute scripts in admin context
Action: Immediate Patch
AI Analysis

Impact

The Checkout Field Editor plugin (WooCommerce <= 2.1.7) contains a flaw in the prepare_single_field_data() function. Custom radio and checkboxgroup field values are escaped with esc_html() but immediately reversed with html_entity_decode(), and the get_allowed_html() function permits the &lt;select&gt; element with an onchange handler. This combination allows unauthenticated attackers to store malicious script payloads via the WooCommerce Block Checkout Store API. When an administrator later views an order details page, the injected script executes in the admin context, providing a Stored Cross‑Site Scripting (CWE‑79) that could lead to session hijacking, defacement, or other malicious actions performed with administrative privileges.

Affected Systems

Any WordPress site running the themehigh “Checkout Field Editor (Checkout Manager) for WooCommerce” plugin in a version up to and including 2.1.7 is affected. No other vendors or products are listed, so the vulnerability is limited to this specific plugin and its older releases.

Risk and Exploitability

The CVSS base score of 7.2 indicates a high-impact vulnerability. The EPSS score is reported as less than 1 %, signifying a low current exploitation probability and indicating that widespread exploitation has not been observed. It is not present in the CISA KEV catalog. Attackers can exploit the flaw without authentication by submitting malicious values through the front‑end checkout process; the payload is then stored and executed when an administrator accesses the order. The exploitation effort is low, but the potential impact is significant given the administrator privilege context.

Generated by OpenCVE AI on March 17, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the plugin vendor’s website or the WordPress repository for an update to Checkout Field Editor (Checkout Manager) for WooCommerce that addresses the stored XSS flaw and upgrade immediately.
  • If an immediate update cannot be applied, disable or delete the custom radio and checkboxgroup fields that allow arbitrary input, or deactivate the plugin entirely to prevent further injection of malicious scripts.
  • As a temporary safeguard, implement web‑application firewall rules or additional input‑validation logic to block disallowed HTML tags and attributes in checkout submissions until a patch can be applied.

Generated by OpenCVE AI on March 17, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Themehigh
Themehigh checkout Field Editor For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Themehigh
Themehigh checkout Field Editor For Woocommerce
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the `prepare_single_field_data()` method in `class-thwcfd-block-order-data.php` first escaping values with `esc_html()` then immediately reversing the escaping with `html_entity_decode()` for radio and checkboxgroup field types, combined with a permissive `wp_kses()` allowlist in `get_allowed_html()` that explicitly permits the `<select>` element with the `onchange` event handler attribute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via the Store API checkout endpoint that execute when an administrator views the order details page.
Title Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 - Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Themehigh Checkout Field Editor For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T13:26:48.463Z

Reserved: 2026-02-25T21:30:41.083Z

Link: CVE-2026-3231

cve-icon Vulnrichment

Updated: 2026-03-11T13:26:42.518Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T10:16:13.873

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-3231

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:27Z

Weaknesses