CVE-2026-3231 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the Checkout Field Editor (Checkout Manager) plugin for WooCommerce on WordPress. The flaw exists in all versions up to 2.1.7 due to insecure handling of custom radio and checkbox group field values submitted via the WooCommerce Block Checkout Store API. Specifically, the method `prepare_single_field_data()` in `class-thwcfd-block-order-data.php` first escapes input values using `esc_html()`, but then immediately reverses this escaping with `html_entity_decode()` for these field types. This flawed logic, combined with a permissive `wp_kses()` allowlist in `get_allowed_html()` that explicitly permits the `<select>` element with the `onchange` event handler attribute, enables attackers to inject arbitrary JavaScript code. Since the injection is stored, the malicious script executes whenever an administrator views the affected order details page in the WordPress backend. The vulnerability requires no authentication or user interaction to exploit, making it accessible to unauthenticated remote attackers. The CVSS v3.1 score is 7.2 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality and integrity with scope change. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to WooCommerce sites using this plugin, especially those with administrative users who view order details.

The primary impact of CVE-2026-3231 is the execution of arbitrary JavaScript in the context of the WordPress administrative interface. This can lead to theft of administrator credentials, session hijacking, and unauthorized actions performed with administrative privileges. Since the malicious payload is stored and triggered when viewing order details, attackers can maintain persistent access or conduct targeted attacks against site administrators. This compromises the confidentiality and integrity of the e-commerce platform and potentially the entire WordPress installation. The vulnerability does not directly affect availability but can facilitate further attacks that degrade service or lead to data breaches. Organizations worldwide using WooCommerce with this plugin are at risk, particularly those with high transaction volumes and sensitive customer data. The ease of exploitation without authentication increases the threat level, making it attractive for attackers to target e-commerce sites for financial gain or disruption.

1. Immediately restrict access to the WordPress administrative interface to trusted personnel only, using IP whitelisting or VPNs where possible. 2. Monitor web server and application logs for suspicious requests to the WooCommerce Block Checkout Store API and unusual activity in order detail views. 3. Disable or remove the Checkout Field Editor (Checkout Manager) plugin until a patched version is released. 4. If disabling the plugin is not feasible, implement a Web Application Firewall (WAF) with custom rules to block requests containing suspicious payloads targeting radio and checkbox group fields. 5. Educate administrators to avoid clicking on suspicious orders or unknown input values until the issue is resolved. 6. Once a vendor patch is available, apply it promptly and verify that the vulnerability is mitigated by testing with crafted payloads. 7. Review and harden the allowed HTML tags and attributes in the plugin’s sanitization functions to prevent event handler attributes like 'onchange' from being permitted. 8. Consider additional security controls such as multi-factor authentication for administrators to reduce risk from stolen credentials.