Authorization Bypass in WooCommerce Checkout Field Manager Plugin by WordPress
CVE-2025-13930

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Checkout Field Manager (checkout Manager) For WooCommerce
Vendor: CVE Published:; 19 February 2026

What is CVE-2025-13930?

The Checkout Field Manager for WooCommerce plugin for WordPress suffers from an authorization bypass vulnerability, affecting versions up to 7.8.5. This flaw arises from the plugin's inadequacy in verifying user authorization before allowing the deletion of attachments. Particularly, unregistered users can exploit this weakness to delete attachments tied to guest orders by simply utilizing the publicly accessible wooccm_upload nonce and attachment ID, potentially leading to unauthorized data manipulation.

Affected Version(s)

Checkout Field Manager (Checkout Manager) for WooCommerce 0 <= 7.8.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woocommerce-ch...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Dec 2, 2025

Credit

NosleeP

CVE-2025-13930 Data

JSON