The Checkout Field Editor (Checkout Manager) for WooCommerce plugin suffers from a stored cross-site scripting vulnerability (CWE-79) in versions up to 2.1.7. The vulnerability is caused by the `prepare_single_field_data()` method in `class-thwcfd-block-order-data.php`, which escapes input with `esc_html()` but then reverses this escaping with `html_entity_decode()` for radio and checkbox group fields. Additionally, the `get_allowed_html()` function permits the `<select>` element with an `onchange` event handler attribute, allowing injection of arbitrary scripts. This flaw enables unauthenticated attackers to inject malicious JavaScript via the WooCommerce Block Checkout Store API endpoint, which executes when an administrator views the affected order details page.

An unauthenticated attacker can exploit this vulnerability to inject and store malicious scripts in checkout field values. These scripts execute in the context of an administrator's browser when viewing order details, potentially leading to credential theft, session hijacking, or other malicious actions limited to the administrator's privileges. The CVSS 3.1 base score is 7.2 (High), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impact on confidentiality and integrity with no impact on availability. No known exploits in the wild have been reported.

No official patch or remediation is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, administrators should exercise caution when reviewing order details and consider restricting access to trusted personnel only. Monitoring vendor channels for updates and applying patches promptly once available is recommended.