Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
WooCommerce Checkout Manager plugin allows attackers to upload files without login
CVE-2025-12500
Summary
The WooCommerce Checkout Manager plugin, used with WordPress, has a security flaw that lets attackers upload files to the server without needing a login. This means an attacker could potentially upload malicious files, although the types of files they can upload are limited. To stay safe, update the plugin to the latest version or remove it if you don't need it.
Original title
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to t...
Original description
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (images, documents, etc.).
nvd CVSS3.1
5.3
Vulnerability type
CWE-434
Unrestricted File Upload
- https://plugins.trac.wordpress.org/browser/woocommerce-checkout-manager/tags/7.8...
- https://plugins.trac.wordpress.org/browser/woocommerce-checkout-manager/tags/7.8...
- https://plugins.trac.wordpress.org/browser/woocommerce-checkout-manager/tags/7.8...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e807480b-00c9-4340-bd0...
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026