Threat Entry Updated 2026-02-19

CVE-2025-13930 - Woocommerce Checkout Manager Plugin

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not properly verifying that a user is authorized to delete an attachment combined with flawed guest order ownership validation. This makes it possible for unauthenticated attackers to delete attachments associated with guest orders using only the publicly available wooccm_upload nonce and attachment ID.

PLUGIN Woocommerce Checkout Manager

CVE-2025-13930

MEDIUM CVSS 5.3 2026-02-19

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-19

CVE-2025-12500 - Woocommerce Checkout Manager Plugin

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (images, documents, etc.).

PLUGIN Woocommerce Checkout Manager

CVE-2025-12500

MEDIUM CVSS 5.3 2026-02-19

Risk Score

Open Full Technical Breakdown