CVE-2026-3231

Name of the Vulnerable Software and Affected Versions Checkout Field Editor (Checkout Manager) for WooCommerce versions through 2.1.7

Description The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is susceptible to Stored Cross-Site Scripting. This occurs through custom radio and checkboxgroup field values submitted via the WooCommerce Block Checkout Store API. The issue stems from the prepare single field data() method in class-thwcfd-block-order-data.php, which first escapes values with esc html() and then reverses the escaping with html entity decode() for radio and checkboxgroup field types. This, combined with a permissive wp kses() allowlist in get allowed html() that permits the <select> element with the onchange event handler attribute, allows unauthenticated attackers to inject arbitrary web scripts via the Store API checkout endpoint. These scripts execute when an administrator views the order details page. The vulnerable API endpoint is the WooCommerce Block Checkout Store API. The vulnerable variables are the custom radio and checkboxgroup field values.

Recommendations Versions through 2.1.7 should be updated to a newer version that addresses this issue.