CVE-2025-13930: CWE-862 Missing Authorization in quadlayers Checkout Field Manager (Checkout Manager) for WooCommerce
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not properly verifying that a user is authorized to delete an attachment combined with flawed guest order ownership validation. This makes it possible for unauthenticated attackers to delete attachments associated with guest orders using only the publicly available wooccm_upload nonce and attachment ID.
AI Analysis
Technical Summary
CVE-2025-13930 is an authorization bypass vulnerability in the Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress. The plugin fails to properly verify user authorization when deleting attachments and incorrectly validates guest order ownership. This allows unauthenticated attackers to delete attachments associated with guest orders by using the publicly available wooccm_upload nonce and attachment ID. The vulnerability affects versions up to and including 7.8.5 and is classified under CWE-862 (Missing Authorization).
Potential Impact
An attacker without authentication can delete attachments associated with guest orders, potentially causing data loss or disruption of order-related information. The vulnerability does not impact confidentiality or availability beyond the deletion of attachments, and no known exploits have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected plugin's functionalities where possible and monitor for unusual deletion activities related to guest order attachments.
CVE-2025-13930: CWE-862 Missing Authorization in quadlayers Checkout Field Manager (Checkout Manager) for WooCommerce
Description
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not properly verifying that a user is authorized to delete an attachment combined with flawed guest order ownership validation. This makes it possible for unauthenticated attackers to delete attachments associated with guest orders using only the publicly available wooccm_upload nonce and attachment ID.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-13930 is an authorization bypass vulnerability in the Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress. The plugin fails to properly verify user authorization when deleting attachments and incorrectly validates guest order ownership. This allows unauthenticated attackers to delete attachments associated with guest orders by using the publicly available wooccm_upload nonce and attachment ID. The vulnerability affects versions up to and including 7.8.5 and is classified under CWE-862 (Missing Authorization).
Potential Impact
An attacker without authentication can delete attachments associated with guest orders, potentially causing data loss or disruption of order-related information. The vulnerability does not impact confidentiality or availability beyond the deletion of attachments, and no known exploits have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected plugin's functionalities where possible and monitor for unusual deletion activities related to guest order attachments.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-02T21:35:39.501Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699697f36aea4a407a3be053
Added to database: 2/19/2026, 4:56:19 AM
Last enriched: 4/9/2026, 4:39:30 PM
Last updated: 5/22/2026, 5:14:16 PM
Views: 90
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.