CVE-2026-3231
Stored XSS in WooCommerce Checkout Manager via Store API
Publication date: 2026-03-11
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | woo_checkout_field_editor_pro | 2.1.7 |
| wordfence | woo_checkout_field_editor_pro | 2.1.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WooCommerce plugin "Checkout Field Editor (Checkout Manager)" for WordPress is a Stored Cross-Site Scripting (XSS) issue affecting custom radio and checkbox group field values submitted through the WooCommerce Block Checkout Store API in versions up to and including 2.1.7.
It occurs because the method `prepare_single_field_data()` in the plugin's code first escapes field values with `esc_html()`, but then immediately reverses this escaping with `html_entity_decode()` for radio and checkbox group fields. Additionally, the plugin uses a permissive HTML allowlist that explicitly permits the `<select>` element with the `onchange` event handler attribute.
This combination allows unauthenticated attackers to inject arbitrary malicious web scripts via the Store API checkout endpoint. These scripts execute when an administrator views the order details page, potentially compromising the admin's browser.
How can this vulnerability impact me? :
This Stored Cross-Site Scripting (XSS) vulnerability can allow attackers to inject malicious scripts into custom checkout fields that are stored in the system.
When an administrator views the affected order details page, these malicious scripts execute in the administrator's browser context.
- Potential impacts include theft of administrator session cookies or credentials.
- Execution of arbitrary actions with administrator privileges.
- Compromise of the website's administrative interface and data.
Because the vulnerability can be exploited by unauthenticated attackers via the Store API, it poses a significant risk to site security and integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Stored Cross-Site Scripting (XSS) vulnerability in the Woo Checkout Field Editor Pro plugin (CVE-2026-3231), you should immediately update the plugin to version 2.1.8 or later, which contains the security fix.
The update improves sanitization and output encoding of custom field data by using a stricter whitelist of allowed HTML tags and attributes via the wp_kses() function, preventing malicious script injection.
Additionally, the plugin now sanitizes input values more rigorously before storing them, reducing the risk of malicious payloads being saved in order metadata or displayed in the frontend.
Applying this update and ensuring your WooCommerce environment is compatible with the plugin version 2.1.8 (tested up to WooCommerce 10.5) will mitigate the vulnerability.