CVE-2025-39520

Vulnerability

The Checkout Files Upload for WooCommerce plugin up to version 2.2.0 fails to properly sanitize file names uploaded via the checkout process, allowing Stored Cross-Site Scripting (XSS) [1]. The vulnerability exists in the file upload handling on the WooCommerce checkout page, order received page, and My Account page. The plugin requires WooCommerce to be active, and an attacker must be able to upload a file with a maliciously crafted filename.

Exploitation

An unauthenticated attacker can exploit this vulnerability by uploading a file whose name contains JavaScript payloads (e.g., .txt) through the standard checkout file upload field. The malicious filename is stored in the database and executed when an administrator or shop manager views the order details in the WordPress admin panel where the filename is rendered without proper escaping.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of an authenticated administrator's session. This can lead to session hijacking, theft of sensitive information (including WooCommerce order data), and potential full site compromise if combined with additional actions such as creating rogue admin accounts [1].

Mitigation

The vulnerability is patched in version 2.2.6, released on 2026-05-15 [1]. Users should update to version 2.2.6 or later immediately. No workarounds are documented. Sites running versions 2.2.0 or earlier are vulnerable. The plugin is not known to be listed on CISA's Known Exploited Vulnerabilities catalog.