CVE-2024-1697 in Custom WooCommerce Checkout Fields Editor Plugin
Summary
by MITRE • 03/23/2024
The Custom WooCommerce Checkout Fields Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the save_wcfe_options function in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/13/2025
The vulnerability identified as CVE-2024-1697 affects the Custom WooCommerce Checkout Fields Editor plugin for WordPress, representing a critical security flaw that enables stored cross-site scripting attacks. This issue exists within the save_wcfe_options function and impacts all plugin versions up to and including 1.3.1, creating a persistent threat vector that can compromise user sessions and execute malicious code within the context of affected websites. The vulnerability specifically targets authenticated attackers who possess subscriber-level access or higher, making it particularly dangerous as it can be exploited by users who already have some level of authorization within the WordPress environment.
The technical flaw stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's codebase. When administrators or authorized users interact with the plugin's configuration interface and save checkout field options, the input data is not properly validated or sanitized before being stored in the database. This failure allows malicious scripts to be persistently stored and subsequently executed whenever legitimate users access pages containing the injected content. The vulnerability operates under CWE-79 which specifically addresses cross-site scripting flaws, where inadequate sanitization of user-provided data creates opportunities for attackers to inject malicious scripts that can execute in the browsers of other users.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including session hijacking, data theft, and privilege escalation. An attacker with subscriber-level access can inject scripts that steal cookies, redirect users to malicious sites, or even modify the functionality of the checkout process itself. The stored nature of the vulnerability means that the injected scripts remain active until manually removed, creating a persistent threat that can affect multiple users over time. This makes the vulnerability particularly dangerous in e-commerce environments where sensitive customer data is processed and stored.
Mitigation strategies for CVE-2024-1697 should prioritize immediate plugin updates to versions that address the sanitization and escaping deficiencies. System administrators should also implement network monitoring to detect unusual script injections and consider implementing content security policies that restrict script execution within the WordPress environment. Additionally, privileged users should be educated about the risks of modifying plugin settings and the importance of validating all input before saving configuration changes. The vulnerability highlights the critical importance of input validation and output escaping practices as outlined in the OWASP Top Ten security principles and aligns with ATT&CK technique T1566 which covers social engineering tactics including the use of malicious scripts to compromise user sessions and gain unauthorized access to systems. Organizations should also consider implementing web application firewalls and regular security audits to identify and remediate similar vulnerabilities across their WordPress installations.