Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-m9ey-ssdc-c3g4

Summary The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the `prepare_single_field_data()` method in `class-thwcfd-block-order-data.php` first escaping values with `esc_html()` then immediately reversing the escaping with `html_entity_decode()` for radio and checkboxgroup field types, combined with a permissive `wp_kses()` allowlist in `get_allowed_html()` that explicitly permits the `<select>` element with the `onchange` event handler attribute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via the Store API checkout endpoint that execute when an administrator views the order details page.

Aliases

alias	CVE-2026-3231

Fixed_packages

Affected_packages

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-3231

reference_id

reference_type

scores

value	0.00154
scoring_system	epss
scoring_elements	0.36118
published_at	2026-06-12T12:55:00Z

value	0.00154
scoring_system	epss
scoring_elements	0.35939
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-3231

reference_url

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3478914%40woo-checkout-field-editor-pro%2Ftrunk&old=3454287%40woo-checkout-field-editor-pro%2Ftrunk&sfp_email=&sfph_mail=#file1

reference_id

changeset?sfp_email=&sfph_mail=&reponame=&new=3478914%40woo-checkout-field-editor-pro%2Ftrunk&old=3454287%40woo-checkout-field-editor-pro%2Ftrunk&sfp_email=&sfph_mail=#file1

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T13:25:54Z/

url

reference_url

https://plugins.trac.wordpress.org/browser/woo-checkout-field-editor-pro/tags/2.1.7/block/class-thwcfd-block-order-data.php#L437

reference_id

class-thwcfd-block-order-data.php#L437

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T13:25:54Z/

url

https://plugins.trac.wordpress.org/browser/woo-checkout-field-editor-pro/tags/2.1.7/block/class-thwcfd-block-order-data.php#L437

reference_url

https://plugins.trac.wordpress.org/browser/woo-checkout-field-editor-pro/tags/2.1.7/block/class-thwcfd-block.php#L388

reference_id

class-thwcfd-block.php#L388

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T13:25:54Z/

url

https://plugins.trac.wordpress.org/browser/woo-checkout-field-editor-pro/tags/2.1.7/block/class-thwcfd-block.php#L388

reference_url

https://plugins.trac.wordpress.org/browser/woo-checkout-field-editor-pro/tags/2.1.7/includes/utils/class-thwcfd-utils.php#L476

reference_id

class-thwcfd-utils.php#L476

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T13:25:54Z/

url

https://plugins.trac.wordpress.org/browser/woo-checkout-field-editor-pro/tags/2.1.7/includes/utils/class-thwcfd-utils.php#L476

reference_url

https://research.cleantalk.org/cve-2026-3231/

reference_id

cve-2026-3231

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T13:25:54Z/

url

https://research.cleantalk.org/cve-2026-3231/

reference_url

https://www.wordfence.com/threat-intel/vulnerabilities/id/df406e59-94d9-4704-82a3-02c2c1773c82?source=cve

reference_id

df406e59-94d9-4704-82a3-02c2c1773c82?source=cve

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T13:25:54Z/

url

https://www.wordfence.com/threat-intel/vulnerabilities/id/df406e59-94d9-4704-82a3-02c2c1773c82?source=cve

Weaknesses

cwe_id	79
name	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
description	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Exploits

Severity_range_score 7.2 - 7.2

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m9ey-ssdc-c3g4

Vulnerability Instance