Unauthenticated Stored XSS in WooCommerce Checkout Field Editor Plugin (CVE-2026-3231)

Vulnerability Key Information Summary Vulnerability Overview CVE ID: CVE-2026-3231 Vulnerability Type: Unauthenticated Stored XSS Affected Plugin: Checkout Field Editor (Checkout Manager) for WooCommerce Vulnerability Cause: The plugin contains a broken escaping pipeline when rendering Block Checkout custom fields of type Radio and related group types. The renderer initially escapes stored values using , but subsequent code uses to decode them back to raw HTML, effectively undoing the escaping. When output is passed through , it utilizes an overly permissive allowlist that includes elements with allowed swap attributes, enabling attacker-controlled payloads to be rendered as active HTML with JavaScript event handlers. Impact: This is a high-severity vulnerability. Since WooCommerce order details represent a privileged workflow surface (frequently accessed by administrators and customer support), attackers can inject payloads during checkout. Once staff process the order, the payload executes, potentially leading to administrator account takeover, creation of new administrators, modification of payment settings, or installation of malicious plugins. Scope of Impact Affected Versions: Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 Install Base: 500,000+ Remediation Measures 1. Remove Decoding: The plugin must remove from the rendering path for any unescaped stored values to prevent the recreation of active HTML after decoding. 2. Harden wp_kses: The allowlist must be hardened; no event handler attributes (such as ) should be permitted on any allowed elements unless defensive controls are in place. 3. Input Validation: Input validation must be applied at the time of storage to ensure checkout field values are stored as safe scalar strings (without markup), and the Store API payload must be validated server-side to prevent tampering. 4. Temporary Mitigation: Until a fixed version is available, Block Checkout custom radio field rendering in order views should be temporarily disabled, as the highest risk originates from privileged administrator order contexts. 5. Monitoring: Implement monitoring for suspicious tags (e.g., , , , event attributes) to enable early detection. POC Code**

Goal Reached Thanks to every supporter — we hit 100%!

Unauthenticated Stored XSS in WooCommerce Checkout Field Editor Plugin (CVE-2026-3231)