Zero-day vulnerability fixed in WordPress Flexible Checkout Fields for WooCommerce plugin.

Last Revision: February 27, 2020

The WordPress Flexible Checkout Fields for WooCommerce plugin, which has 20,000+ active installations, fixed a critical zero-day vulnerability affecting version 2.3.1 and below.

The vulnerability has been actively exploited for the past hours and several users have been hacked. I’m not going to give too many details about this issue yet (although hackers already know about it), but, basically, because the plugin settings can be accessed by anybody, authenticated or not, hackers use it to inject new fields and scripts into the WooCommerce checkout page.


The vulnerability was reported to the authors on February 26, 2020, and a new version 2.3.2 was quickly released an hour later.


Update immediately if you have version 2.3.1 or below installed.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Update February 27, 2020:
The authors have published a post to help users who have been hacked.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet