cbcvebase.
CVE-2020-36731
published 2023-06-07

CVE-2020-36731: The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored…

PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.34%
67.8th percentile
The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction() function which is called via an admin_init hook, along with missing sanitization and escaping on the settings that are stored.

Affected

2 ranges
VendorProductVersion rangeFixed in
wpdeskflexible_checkout_fields<= 2.3.1
wpdeskflexible_checkout_fields_for_woocommerce_woocommerce_checkout_manager< 2.3.22.3.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin.php?page=inspire_checkout_fields_settings&tab=fields_order
commandoption_page=inspire_checkout_fields_settings&action=update&inspire_checkout_fields%5Bsettings%5D%5Border%5D=&inspire_checkout_fields%5Bsettings%5D%5Border%5D%5Border_comments%5D%5Bname%5D=order_comments
otherinspire_checkout_fields[settings][order]
  • Unauthenticated POST to /wp-admin/admin.php with page=inspire_checkout_fields_settings and action=update abuses the missing authorization check on updateSettingsAction() hooked via admin_init; no authentication is required to modify plugin settings.
  • Successful exploitation returns the string 'Settings resetted.' in the HTTP response body; use this as a confirmation matcher for the unauthenticated settings-update attack.
  • Stored XSS payload is injected into the inspire_checkout_fields[settings][order] parameter using unsanitized field names containing <script>alert(2)</script>; monitor POST bodies to the settings endpoint for script tags in parameter names.
  • Detection rule matches on co-occurrence of 'order_alert(document.domain)', '[custom_field]', and 'inspire_checkout_fields[settings][order]' in the response, indicating successful stored XSS injection.
  • Content-Type of the malicious POST is application/x-www-form-urlencoded; alert on unauthenticated (no valid WordPress auth cookies) POST requests to wp-admin/admin.php with this content type targeting inspire_checkout_fields_settings.
  • ·The vulnerability affects Flexible Checkout Fields for WooCommerce plugin versions up to and including 2.3.1; ensure version scope is confirmed before applying detections to avoid false positives on patched installations.
  • ·The attack vector is the admin_init hook, meaning the POST does not require a logged-in session; WAF rules blocking unauthenticated wp-admin access may mitigate this but should be validated against the specific hook behavior.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.