WP-Safety

Checkout Field Editor (Checkout Manager) for WooCommerce Security & Risk Analysis

wordpress.org/plugins/woo-checkout-field-editor-pro

Checkout Field Editor (Checkout Manager) for WooCommerce – The best WooCommerce checkout manager plugin to manage WooCommerce checkout fields.

500K active installs v2.1.8 PHP 5.6+ WP 4.9+ Updated Mar 10, 2026
checkout-field-editorcheckout-managercustom-fieldswoocommerce-checkoutwoocommerce-checkout-field
93
A · Safe
CVEs total3
Unpatched0
Last CVEMar 10, 2026
Plugin page Download
Safety Verdict

Is Checkout Field Editor (Checkout Manager) for WooCommerce Safe to Use in 2026?

Generally Safe

Score 93/100

Checkout Field Editor (Checkout Manager) for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Mar 10, 2026Updated 24d ago
Risk Assessment

The plugin exhibits several positive security practices, including 100% use of prepared statements for SQL queries and proper output escaping, indicating good defensive coding in these areas. The presence of numerous nonce and capability checks also suggests an effort to secure its functionality. However, the static analysis reveals a significant concern with one of its two AJAX handlers lacking authentication checks, creating a direct entry point for potential unauthorized actions.

Taint analysis shows a flow with an unsanitized path, which, while not flagged as critical or high severity in this scan, warrants attention as it represents a potential avenue for injecting malicious data. The plugin's vulnerability history is a major red flag. With 3 previously disclosed CVEs, including 2 high and 1 medium severity, and a recent vulnerability in 2026, it indicates a pattern of past security weaknesses that required external patching. The historical vulnerability types like Cross-site Scripting and Deserialization of Untrusted Data are common and can be severe if exploited.

Overall, while the code demonstrates strengths in areas like SQL and output handling, the unprotected AJAX handler and the historical vulnerability record significantly elevate the risk profile. The potential for unauthenticated access to an AJAX endpoint coupled with past exploitable vulnerabilities suggests that users should exercise caution. Continued vigilance and prompt patching of future vulnerabilities are crucial.

Key Concerns

  • Unprotected AJAX handler
  • Flow with unsanitized path (taint analysis)
  • 3 known CVEs (2 high, 1 medium)
Vulnerabilities
3

Checkout Field Editor (Checkout Manager) for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
1

3 total CVEs

CVE-2026-3231high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 - Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field

Mar 10, 2026 Patched in 2.1.8 (3d)
CVE-2024-8499medium · 4.7Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.0.3 - Reflected Cross-Site Scripting via render_review_request_notice

Oct 3, 2024 Patched in 2.0.4 (2d)
CVE-2022-3490high · 8Deserialization of Untrusted Data

Checkout Field Editor <= 1.7.2 - Authenticated (Admin+) PHP Object Injection

Nov 7, 2022 Patched in 1.8.0 (442d)
Code Analysis
Analyzed Mar 16, 2026

Checkout Field Editor (Checkout Manager) for WooCommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
2
566 escaped
Nonce Checks
14
Capability Checks
16
File Operations
0
External Requests
1
Bundled Libraries
0

Output Escaping

100% escaped568 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

5 flows1 with unsanitized paths
<class-thwcfd-admin-settings-advanced> (admin\class-thwcfd-admin-settings-advanced.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Checkout Field Editor (Checkout Manager) for WooCommerce Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 2

authwp_ajax_thwcfd_deactivation_reasonincludes\class-thwcfd.php:106
authwp_ajax_th_activate_pluginincludes\class-thwcfd.php:114
WordPress Hooks 65
actionwoocommerce_admin_order_data_after_order_detailsadmin\class-thwcfd-admin-settings-general.php:54
actionwoocommerce_admin_order_data_after_billing_addressadmin\class-thwcfd-admin-settings-general.php:55
actionwoocommerce_admin_order_data_after_shipping_addressadmin\class-thwcfd-admin-settings-general.php:56
filterdeprecated_function_trigger_erroradmin\class-thwcfd-admin.php:710
actionwp_enqueue_scriptsblock\class-thwcfd-block-integration.php:41
actionadmin_enqueue_scriptsblock\class-thwcfd-block-integration.php:42
actionwoocommerce_admin_order_data_after_order_detailsblock\class-thwcfd-block-order-data.php:27
actionwoocommerce_order_details_after_order_tableblock\class-thwcfd-block-order-data.php:31
actionwoocommerce_subscription_details_after_subscription_tableblock\class-thwcfd-block-order-data.php:33
actionwoocommerce_email_customer_detailsblock\class-thwcfd-block-order-data.php:38
filterwoocommerce_email_customer_details_fieldsblock\class-thwcfd-block-order-data.php:39
actionwoocommerce_email_order_metablock\class-thwcfd-block-order-data.php:40
filterwoocommerce_email_order_meta_fieldsblock\class-thwcfd-block-order-data.php:42
actionwoocommerce_initblock\class-thwcfd-block.php:24
actionwoocommerce_blocks_loadedblock\class-thwcfd-block.php:25
actionwoocommerce_blocks_checkout_block_registrationblock\class-thwcfd-block.php:41
actionwoocommerce_validate_additional_fieldblock\class-thwcfd-block.php:42
filterwoocommerce_get_country_localeblock\class-thwcfd-block.php:43
filterwoocommerce_default_address_fieldsblock\class-thwcfd-block.php:45
actionwoocommerce_blocks_checkout_block_registrationblock\class-thwcfd-block.php:327
actionwoocommerce_store_api_checkout_update_order_from_requestblock\class-thwcfd-block.php:329
actionbefore_woocommerce_initcheckout-form-designer.php:52
actioninitincludes\class-thwcfd.php:28
actionadmin_enqueue_scriptsincludes\class-thwcfd.php:96
actionadmin_menuincludes\class-thwcfd.php:97
actionadmin_headincludes\class-thwcfd.php:98
actionadmin_footerincludes\class-thwcfd.php:99
actionadmin_footerincludes\class-thwcfd.php:100
filterwoocommerce_screen_idsincludes\class-thwcfd.php:101
actionadmin_initincludes\class-thwcfd.php:103
actionadmin_noticesincludes\class-thwcfd.php:104
actionadmin_footer-plugins.phpincludes\class-thwcfd.php:105
filterplugin_row_metaincludes\class-thwcfd.php:107
actionadmin_initincludes\class-thwcfd.php:109
actionadmin_initincludes\class-thwcfd.php:110
actionadmin_headincludes\class-thwcfd.php:111
actioninitincludes\class-thwcfd.php:117
actionwp_enqueue_scriptsincludes\class-thwcfd.php:123
actioninitincludes\class-thwcfd.php:124
filterwoocommerce_enable_order_notes_fieldpublic\class-thwcfd-public-checkout.php:53
filterwoocommerce_get_country_locale_defaultpublic\class-thwcfd-public-checkout.php:55
filterwoocommerce_get_country_locale_basepublic\class-thwcfd-public-checkout.php:56
filterwoocommerce_get_country_localepublic\class-thwcfd-public-checkout.php:57
filterwoocommerce_billing_fieldspublic\class-thwcfd-public-checkout.php:59
filterwoocommerce_shipping_fieldspublic\class-thwcfd-public-checkout.php:60
filterwoocommerce_checkout_fieldspublic\class-thwcfd-public-checkout.php:61
actionwoocommerce_after_checkout_validationpublic\class-thwcfd-public-checkout.php:63
actionwoocommerce_checkout_update_order_metapublic\class-thwcfd-public-checkout.php:64
filterwoocommerce_email_order_meta_fieldspublic\class-thwcfd-public-checkout.php:67
actionwoocommerce_order_details_after_order_tablepublic\class-thwcfd-public-checkout.php:68
filterwoocommerce_form_field_checkboxgrouppublic\class-thwcfd-public-checkout.php:70
filterwoocommerce_form_field_checkboxpublic\class-thwcfd-public-checkout.php:71
filterwoocommerce_form_field_datetime_localpublic\class-thwcfd-public-checkout.php:72
filterwoocommerce_form_field_datepublic\class-thwcfd-public-checkout.php:73
filterwoocommerce_form_field_timepublic\class-thwcfd-public-checkout.php:74
filterwoocommerce_form_field_monthpublic\class-thwcfd-public-checkout.php:75
filterwoocommerce_form_field_weekpublic\class-thwcfd-public-checkout.php:76
filterwoocommerce_form_field_urlpublic\class-thwcfd-public-checkout.php:77
filterwoocommerce_form_field_multiselectpublic\class-thwcfd-public-checkout.php:78
filterwoocommerce_form_field_hiddenpublic\class-thwcfd-public-checkout.php:79
filterwoocommerce_form_field_headingpublic\class-thwcfd-public-checkout.php:80
filterwoocommerce_form_field_paragraphpublic\class-thwcfd-public-checkout.php:81
filterwoocommerce_form_field_radiopublic\class-thwcfd-public-checkout.php:85
filterwoocommerce_get_country_localepublic\class-thwcfd-public-checkout.php:89
filterwoocommerce_get_country_locale_defaultpublic\class-thwcfd-public-checkout.php:90
Maintenance & Trust

Checkout Field Editor (Checkout Manager) for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 10, 2026
PHP min version5.6
Downloads10.0M

Community Trust

Rating98/100
Number of ratings1,048
Active installs500K
Alternatives

Checkout Field Editor (Checkout Manager) for WooCommerce Alternatives

Custom WooCommerce Checkout Fields Editor

Custom WooCommerce Checkout Fields Editor

add-fields-to-checkout-page-woocommerce

C
66

Custom WooCommerce Checkout Fields Editor

2K 1 unpatched
Checkout Field Editor / Checkout Manager for WooCommerce

Checkout Field Editor / Checkout Manager for WooCommerce

checkout-field-editor

A
100

Checkout Field Editor /Checkout Manager for WooCommerce - WooCommerce checkout editor plugin to manage your WooCommerce checkout fields.

10 No CVEs
Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager

flexible-checkout-fields

A
98

The best WooCommerce checkout manager. Edit, remove or add checkout fields. Customize WooCommerce checkout with this checkout field customizer.

80K 2 CVEs
Checkout Field Editor for WooCommerce – Checkout Page Manager

Checkout Field Editor for WooCommerce – Checkout Page Manager

woo-checkout-regsiter-field-editor

A
99

Checkout Field Editor for WooCommerce is the leading plugin for customizing, editing, removing, and managing your WooCommerce checkout fields.

2K 1 CVE
FEWC – Extra Checkout Fields For WooCommerce

FEWC – Extra Checkout Fields For WooCommerce

fewc-extra-checkout-fields-for-woocommerce

A
100

Easily customize your checkout page: add custom fields, enable/disable fields, rearrange their positions, and preview changes in the WP Customizer

600 No CVEs
Developer Profile

Checkout Field Editor (Checkout Manager) for WooCommerce Developer Profile

ThemeHigh

16 plugins · 579K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
245 days
View full developer profile
Detection Fingerprints

How We Detect Checkout Field Editor (Checkout Manager) for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/woo-checkout-field-editor-pro/admin/assets/css/thwcfd-admin.css/wp-content/plugins/woo-checkout-field-editor-pro/admin/assets/js/thwcfd-admin.js/wp-content/plugins/woo-checkout-field-editor-pro/admin/assets/images/logo.svg
Script Paths
/wp-content/plugins/woo-checkout-field-editor-pro/admin/assets/js/thwcfd-admin.min.js
Version Parameters
woo-checkout-field-editor-pro/admin/assets/css/thwcfd-admin.css?ver=woo-checkout-field-editor-pro/admin/assets/js/thwcfd-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
thwcfd-wrapth-block-warning-msgth-warning-message-panel__textth-warning-message-panel__text--centerth-warning-imgth-warningth-warning-message-panel__inner-text
HTML Comments
<!-- Block Compatibility Warning -->
JS Globals
THWCFD_URL
FAQ

Frequently Asked Questions about Checkout Field Editor (Checkout Manager) for WooCommerce