WordPress Checkout Files Upload for WooCommerce plugin <= 2.1.2 - Cross-Site Scripting (XSS) vulnerability

Vulnerability

The Checkout Files Upload for WooCommerce plugin versions 2.1.2 and earlier contain a Cross-Site Scripting (XSS) vulnerability in the file upload functionality. The plugin fails to properly sanitize file names or file metadata submitted via the WooCommerce checkout page, allowing an attacker to inject arbitrary JavaScript into the upload field. This affects versions up to and including 2.1.2 as disclosed in the CVE description [1].

Exploitation

To exploit the vulnerability, an attacker needs no special privilege—any unauthenticated user on the WordPress site can reach the checkout page where the file upload field is displayed. The attacker uploads a file with a malicious name containing JavaScript payload (e.g., .pdf). The plugin does not validate or escape the file name before storing it, so when the file name is later displayed (e.g., in admin order details or email notifications), the script executes in the context of the victim's browser.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user who views the infected file name. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attacker gains the ability to perform actions as the logged-in user (administrator or customer) without authentication.

Mitigation

The vulnerability is fixed in version 2.2.0 of the plugin. Users should update to the latest version (2.2.6 as of May 2026) via the WordPress plugin repository [1]. No workarounds are documented; the only mitigation is to upgrade. The plugin is actively maintained, and no EOL status has been announced.