CVE-2025-12500 MEDIUM

CVE-2025-12500: Checkout Field Manager (Checkout Manager) for WooCommerce <= 7.8.1 - Unauthenticated Limited File Upload

Vendor Quadlayers
Product Checkout Field Manager (Checkout Manager) for WooCommerce
Weakness CWE-434 · Unrestricted file upload
Published February 19, 2026
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (images, documents, etc.).

Explanation of Vulnerability in Simple Terms

02Summary

Checkout Field Manager for WooCommerce versions 7.8.1 and earlier allow unauthenticated attackers to upload files without proper validation. An attacker can upload arbitrary files to the site over the network without needing authentication or user interaction. This could allow malicious file uploads that compromise site integrity.

What an attacker can do

03Attacker Capabilities

Upload arbitrary files to the site without authentication.

Potential impact on your site

04Site Impact

Attackers can upload malicious files that may alter site content or enable further attacks.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

February 19, 2026 CVE published
April 8, 2026 Record updated