WordPress Plugin Vulnerabilities

Checkout Fields Manager for WooCommerce < 5.5.7 - Reflected Cross-Site Scripting

Description

The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-checkout-manager
Fixed in 5.5.7

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
ea617acd-348a-4060-a8bf-08ab3b569577

Timeline

Publicly Published
2022-06-14 (about 3 years ago)
Added
2022-06-14 (about 3 years ago)
Last Updated
2022-06-14 (about 3 years ago)

Other

Published
Title
Published
2025-08-19
Title
Raptive Ads < 3.9.0 - Reflected Cross-Site Scripting
Published
2025-03-11
Title
Easy Image Display <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-12-07
Title
WP Social Sharing <= 2.2 - Admin+ Stored XSS
Published
2025-09-25
Title
Mega Elements – Addons for Elementor < 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget
Published
2025-07-07
Title
Contact Form 7 Editor Button <= 1.0.0 - Reflected Cross-Site Scripting