PT-2026-20610 · WordPress+1 · Woocommerce Checkout Manager+1
Nosleep
·
Published
2026-02-19
·
Updated
2026-02-23
·
CVE-2025-13930
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Checkout Manager for WooCommerce versions prior to 7.8.6
Description
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress has an authorization issue. The plugin does not properly verify user authorization to delete attachments and has flawed guest order ownership validation. This allows unauthenticated attackers to delete attachments linked to guest orders by using the
wooccm upload nonce and the attachment ID.Recommendations
Update to version 7.8.6 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Woocommerce Checkout Manager
Woocommerce