Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
WooCommerce Checkout Field Manager plugin allows attackers to delete attachments
CVE-2025-13930
Summary
An attacker can delete attachments associated with guest orders without being authorized. This is a concern for online stores using the WooCommerce plugin. To fix, update to version 7.8.6 or later, or remove the plugin until a patch is available.
Original title
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not prope...
Original description
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not properly verifying that a user is authorized to delete an attachment combined with flawed guest order ownership validation. This makes it possible for unauthenticated attackers to delete attachments associated with guest orders using only the publicly available wooccm_upload nonce and attachment ID.
nvd CVSS3.1
5.3
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/woocommerce-checkout-manager/tags/7.8...
- https://plugins.trac.wordpress.org/browser/woocommerce-checkout-manager/tags/7.8...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/33486414-6878-4b16-ae2...
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026