CVE-2026-3231
Received Received - Intake
Stored XSS in WooCommerce Checkout Manager via Store API

Publication date: 2026-03-11

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the `prepare_single_field_data()` method in `class-thwcfd-block-order-data.php` first escaping values with `esc_html()` then immediately reversing the escaping with `html_entity_decode()` for radio and checkboxgroup field types, combined with a permissive `wp_kses()` allowlist in `get_allowed_html()` that explicitly permits the `<select>` element with the `onchange` event handler attribute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via the Store API checkout endpoint that execute when an administrator views the order details page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3231
EUVD
EUVD-2026-11131
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordfence woo_checkout_field_editor_pro 2.1.7
wordfence woo_checkout_field_editor_pro 2.1.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the WooCommerce plugin "Checkout Field Editor (Checkout Manager)" for WordPress is a Stored Cross-Site Scripting (XSS) issue affecting custom radio and checkbox group field values submitted through the WooCommerce Block Checkout Store API in versions up to and including 2.1.7.

It occurs because the method `prepare_single_field_data()` in the plugin's code first escapes field values with `esc_html()`, but then immediately reverses this escaping with `html_entity_decode()` for radio and checkbox group fields. Additionally, the plugin uses a permissive HTML allowlist that explicitly permits the `<select>` element with the `onchange` event handler attribute.

This combination allows unauthenticated attackers to inject arbitrary malicious web scripts via the Store API checkout endpoint. These scripts execute when an administrator views the order details page, potentially compromising the admin's browser.

Impact Analysis

This Stored Cross-Site Scripting (XSS) vulnerability can allow attackers to inject malicious scripts into custom checkout fields that are stored in the system.

When an administrator views the affected order details page, these malicious scripts execute in the administrator's browser context.

  • Potential impacts include theft of administrator session cookies or credentials.
  • Execution of arbitrary actions with administrator privileges.
  • Compromise of the website's administrative interface and data.

Because the vulnerability can be exploited by unauthenticated attackers via the Store API, it poses a significant risk to site security and integrity.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the Stored Cross-Site Scripting (XSS) vulnerability in the Woo Checkout Field Editor Pro plugin (CVE-2026-3231), you should immediately update the plugin to version 2.1.8 or later, which contains the security fix.

The update improves sanitization and output encoding of custom field data by using a stricter whitelist of allowed HTML tags and attributes via the wp_kses() function, preventing malicious script injection.

Additionally, the plugin now sanitizes input values more rigorously before storing them, reducing the risk of malicious payloads being saved in order metadata or displayed in the frontend.

Applying this update and ensuring your WooCommerce environment is compatible with the plugin version 2.1.8 (tested up to WooCommerce 10.5) will mitigate the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3231. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart