CVE-2026-3231

{"id": "CVE-2026-3231", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-3231", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T13:25:54.947751Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security@wordfence.com", "affectedData": [{"vendor": "themehigh", "product": "Checkout Field Editor (Checkout Manager) for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.7"}], "defaultStatus": "unaffected"}]}], "published": "2026-03-11T10:16:13.873", "references": [{"url": "https://plugins.trac.wordpress.org/browser/woo-checkout-field-editor-pro/tags/2.1.7/block/class-thwcfd-block-order-data.php#L437", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-checkout-field-editor-pro/tags/2.1.7/block/class-thwcfd-block.php#L388", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-checkout-field-editor-pro/tags/2.1.7/includes/utils/class-thwcfd-utils.php#L476", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3478914%40woo-checkout-field-editor-pro%2Ftrunk&old=3454287%40woo-checkout-field-editor-pro%2Ftrunk&sfp_email=&sfph_mail=#file1", "source": "security@wordfence.com"}, {"url": "https://research.cleantalk.org/cve-2026-3231/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df406e59-94d9-4704-82a3-02c2c1773c82?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the `prepare_single_field_data()` method in `class-thwcfd-block-order-data.php` first escaping values with `esc_html()` then immediately reversing the escaping with `html_entity_decode()` for radio and checkboxgroup field types, combined with a permissive `wp_kses()` allowlist in `get_allowed_html()` that explicitly permits the `<select>` element with the `onchange` event handler attribute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via the Store API checkout endpoint that execute when an administrator views the order details page."}, {"lang": "es", "value": "El plugin Checkout Field Editor (Checkout Manager) para WooCommerce para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de valores de campo personalizados de tipo radio y checkboxgroup enviados a trav\u00e9s de la API de la tienda de pago por bloques de WooCommerce en todas las versiones hasta la 2.1.7, inclusive. Esto se debe al m\u00e9todo `prepare_single_field_data()` en `class-thwcfd-block-order-data.php` que primero escapa los valores con `esc_html()` y luego revierte inmediatamente el escape con `html_entity_decode()` para los tipos de campo radio y checkboxgroup, combinado con una lista de permitidos `wp_kses()` permisiva en `get_allowed_html()` que permite expl\u00edcitamente el elemento `` con el atributo gestor de eventos `onchange`. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios a trav\u00e9s del endpoint de pago de la API de la tienda que se ejecutan cuando un administrador ve la p\u00e1gina de detalles del pedido."}], "lastModified": "2026-06-17T10:43:15.640", "sourceIdentifier": "security@wordfence.com"}