ThemeHigh Checkout Field Editor
Moderate fix1 remedy
cpe:2.3:a:themehigh:checkout_field_editor_for_woocommerce:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 2.1.7
Checkout Field Editor for WooCommerce Stored Cross-Site Scripting Vulnerability
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in the Checkout Field Editor (Checkout Manager) for WooCommerce plugin, affecting all versions through 2.1.7. The issue arises from the 'prepare_single_field_data' method in 'class-thwcfd-block-order-data.php', which improperly handles the escaping of custom radio and checkbox group field values. This vulnerability allows unauthenticated attackers to inject malicious scripts that are executed when an administrator views the order details.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the order details.
Reproduction
To reproduce this vulnerability, create a custom radio or checkbox group field using the Checkout Field Editor for WooCommerce plugin. Then, submit a WooCommerce order through a checkout block that includes the custom field. The injected script will be executed when an administrator views the order details.
Remediation
Users are advised to update the Checkout Field Editor for WooCommerce plugin to version 2.1.8 or later.
Added: Mar 11, 2026, 10:20 AM
Updated: Mar 11, 2026, 10:20 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
5.4exploitability
7.2remediation
7.7relevance
3.8threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.