CVE-2025-13930
📋 TL;DR
This vulnerability allows unauthenticated attackers to delete attachments associated with guest orders in WooCommerce Checkout Field Manager plugin. Attackers only need a publicly available nonce and attachment ID to exploit this authorization bypass. WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Checkout Field Manager (Checkout Manager) for WooCommerce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete critical order attachments, causing data loss, order processing issues, and potential business disruption for affected WooCommerce stores.
Likely Case
Malicious actors delete guest order attachments, leading to customer service issues, lost documentation, and minor operational impact.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated attachment deletion attempts that can be detected and restored from backups.
🎯 Exploit Status
Exploitation requires only a nonce and attachment ID, both potentially obtainable from guest order flows.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.8.6 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Checkout Field Manager for WooCommerce'. 4. Click 'Update Now' if available. 5. If no update appears, download version 7.8.6+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable Guest Checkout
allPrevent guest orders entirely to eliminate the attack vector
Navigate to WooCommerce → Settings → Accounts & Privacy → Uncheck 'Allow customers to place orders without an account'
Temporarily Deactivate Plugin
allDisable vulnerable plugin until patched
Navigate to WordPress admin → Plugins → Installed Plugins → Deactivate 'Checkout Field Manager for WooCommerce'
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing wooccm_upload nonce patterns
- Enable detailed logging for attachment deletion events and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Checkout Field Manager for WooCommerce version numberCheck Version:
wp plugin list --name='Checkout Field Manager for WooCommerce' --field=versionVerify Fix Applied:
Confirm plugin version is 7.8.6 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- POST requests to wp-admin/admin-ajax.php with action=wooccm_upload_delete
- Attachment deletion events without corresponding user authentication
- Multiple failed attachment deletion attempts from same IP
Network Indicators:
- Unusual spikes in admin-ajax.php requests
- Requests containing wooccm_upload parameter from unauthenticated sources
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND parameters.action="wooccm_upload_delete" AND user="-"🔗 References
- https://plugins.trac.wordpress.org/browser/woocommerce-checkout-manager/tags/7.8.1/lib/class-upload.php#L114
- https://plugins.trac.wordpress.org/browser/woocommerce-checkout-manager/tags/7.8.1/lib/class-upload.php#L75
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440979%40woocommerce-checkout-manager&new=3440979%40woocommerce-checkout-manager&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/33486414-6878-4b16-ae2d-00ec52fc2213?source=cve
