CVE-2026-3231 in Checkout Field Editor for WooCommerce Plugininfo

Summary

by MITRE • 03/11/2026

The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the `prepare_single_field_data()` method in `class-thwcfd-block-order-data.php` first escaping values with `esc_html()` then immediately reversing the escaping with `html_entity_decode()` for radio and checkboxgroup field types, combined with a permissive `wp_kses()` allowlist in `get_allowed_html()` that explicitly permits the `<select>` element with the `onchange` event handler attribute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via the Store API checkout endpoint that execute when an administrator views the order details page.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 03/17/2026

The vulnerability identified as CVE-2026-3231 affects the Checkout Field Editor plugin for WooCommerce, a widely used WordPress extension that allows customization of checkout forms. This plugin enables merchants to modify the standard WooCommerce checkout process by adding custom fields such as radio buttons and checkbox groups. The flaw exists in versions up to and including 2.1.7, making it a persistent threat across a significant portion of the plugin's user base. The vulnerability is classified as a stored cross-site scripting issue, meaning malicious scripts can be permanently stored on the server and executed whenever administrators view affected order details.

The technical root cause lies within the `prepare_single_field_data()` method located in the `class-thwcfd-block-order-data.php` file. This method implements a flawed data handling pattern where values are first escaped using `esc_html()` which converts special characters to HTML entities for security. However, the implementation then immediately reverses this escaping process by applying `html_entity_decode()` specifically for radio and checkboxgroup field types. This dual approach creates a security gap where the escaping mechanism is effectively neutralized for these particular field types. The vulnerability is further exacerbated by the `get_allowed_html()` method which maintains a permissive whitelist in the `wp_kses()` function that explicitly allows the `<select>` HTML element along with the `onchange` event handler attribute, providing additional attack vectors for malicious script injection.

The operational impact of this vulnerability is significant as it allows unauthenticated attackers to inject arbitrary web scripts through the WooCommerce Block Checkout Store API endpoint. When customers submit checkout forms containing malicious payloads, these scripts are stored in the database and executed whenever administrators access the order details page through the WordPress admin interface. This creates a persistent threat where attackers can potentially escalate privileges, steal administrative sessions, or perform unauthorized actions on the compromised WordPress site. The vulnerability affects the core checkout functionality and poses risks to both merchant and customer data integrity, as the malicious scripts can access sensitive information or manipulate the checkout process.

Security professionals should implement immediate mitigations including updating to the patched version of the Checkout Field Editor plugin as soon as available. Organizations should also consider implementing network-level protections such as web application firewalls to detect and block malicious requests to the Store API endpoints. The vulnerability demonstrates the importance of proper input sanitization and the dangers of combining escaping and unescaping operations without proper validation. From a compliance standpoint, this vulnerability may violate security standards such as those outlined in the CWE-79 category for cross-site scripting flaws, and could potentially be leveraged by threat actors following ATT&CK techniques related to credential access and privilege escalation through web application vulnerabilities. Regular security audits of WordPress plugins and maintaining updated security practices are essential for preventing such vulnerabilities from being exploited in production environments.

Responsible

Wordfence

Reservation

02/25/2026

Disclosure

03/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00321

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!