{"id":3517,"date":"2026-03-11T06:56:27","date_gmt":"2026-03-11T06:56:27","guid":{"rendered":"https:\/\/research.cleantalk.org\/?p=3517"},"modified":"2026-03-11T06:56:28","modified_gmt":"2026-03-11T06:56:28","slug":"cve-2026-3231","status":"publish","type":"post","link":"https:\/\/research.cleantalk.org\/cve-2026-3231\/","title":{"rendered":"CVE-2026-3231\u00a0– Checkout Field Editor (Checkout Manager) for WooCommerce – Unauthenticated Stored XSS – POC"},"content":{"rendered":"\n

CVE-2026-3231 affects Checkout Field Editor Checkout Manager for WooCommerce and it is an unauthenticated stored cross site scripting vulnerability that can fire in high value contexts such as the WooCommerce admin order screen and customer order details. The reason this matters is that checkout fields sit directly on the boundary between untrusted shopper input and trusted back office workflows. If an attacker can store HTML that later executes in an administrator\u2019s browser, the impact quickly escalates from a cosmetic script popup into\u00a0session theft and administrative actions performed in the background<\/strong>. With an install base around 500k plus, the vulnerable pattern is relevant for many production stores, especially those that use custom checkout fields to collect contact data, delivery preferences, or consent options.<\/p>\n\n\n\n

CVE<\/td>CVE-2026-3231<\/strong><\/td><\/tr>
Plugin Version<\/td>Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7<\/a><\/td><\/tr>
All Time<\/td>10 232 124<\/strong><\/td><\/tr>
Active installations<\/td>500 000+<\/strong><\/td><\/tr>
Publicly Published<\/td>March 10, 2026<\/td><\/tr>
Last Updated<\/td>March 10, 2026<\/td><\/tr>
Researcher<\/td>Dmitrii Ignatyev<\/td><\/tr>
PoC<\/td>Yes<\/td><\/tr>
Exploit<\/td>No<\/td><\/tr>
Reference <\/td>https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2026-3231<\/a>
https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/woo-checkout-field-editor-pro\/checkout-field-editor-checkout-manager-for-woocommerce-217-unauthenticated-stored-cross-site-scripting-via-block-checkout-custom-radio-field<\/a>
https:\/\/t.me\/cleantalk_researches\/383<\/a><\/td><\/tr>
Plugin Security Certification by CleanTalk<\/td> \"\"
<\/a><\/td><\/tr>
Logo of the plugin<\/td>\"\"<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n
\n
\n

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.<\/p>\n<\/div>\n\n\n\n

\n
\n
Get Plugin Security Certificate<\/a><\/div>\n<\/div>\n<\/div>\n<\/div>\nPSC by Cleantalk<\/cite><\/blockquote>\n\n\n\n

Timeline<\/strong><\/h2>\n\n\n\n
February 5, 2026<\/td>Plugin testing and vulnerability detection in the The Event Calendar<\/strong> have been completed<\/td><\/tr>
February 5, 2026<\/td>I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing<\/td><\/tr>
March 10, 2026<\/td>Registered CVE-2026-3231<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Discovery of the Vulnerability<\/strong><\/h2>\n\n\n\n

The bug is rooted in a broken escaping pipeline for Block Checkout custom fields of type Radio and related group types. The renderer initially escapes the stored value using\u00a0esc_html<\/code>, which should neutralize HTML, but then the code re decodes the value back into raw HTML using\u00a0html_entity_decode<\/code>\u00a0for radio and checkboxgroup handling, effectively undoing the escape. After that, the output is passed through\u00a0wp_kses<\/code>\u00a0with an allow list that is overly permissive and includes a\u00a0select<\/code>\u00a0element with an allowed\u00a0onchange<\/code>\u00a0attribute. That combination creates an obvious stored XSS sink because an attacker controlled payload can survive storage and be rendered as active HTML with a JavaScript event handler. The vulnerable flow occurs in the block order data preparation logic in\u00a0block\/class-thwcfd-block-order-data.php<\/code>\u00a0around\u00a0prepare_single_field_data<\/code>, and the allow list comes from\u00a0THWCFD_Utils::get_allowed_html<\/code>\u00a0in\u00a0includes\/utils\/class-thwcfd-utils.php<\/code>, which is where the unsafe allowance of event attributes makes exploitation possible.<\/p>\n\n\n\n

Understanding of Stored XSS attack’s<\/strong><\/h2>\n\n\n\n

Stored XSS in WooCommerce is particularly dangerous because order views are a privileged workflow surface. Administrators open orders constantly, customer service staff view order details, and order emails can be processed by systems that render HTML. A vulnerability that originates from a checkout field is also attractive to attackers because it can be triggered by a normal purchase flow, sometimes without needing an account at all. Real world outcomes of stored XSS in an order context include stealing admin cookies, forcing background actions using the victim\u2019s session, creating new administrator users, changing payment settings, or installing plugins, depending on what defensive controls are present. The critical lesson here is that safe output encoding must be consistent and one directional. Once you escape, you never decode back into HTML. The moment you do, you have effectively re enabled the attacker\u2019s markup. Allowing event handler attributes like onchange inside wp_kses rules is a strong signal that the allow list is being used incorrectly, because event handlers are\u00a0code execution primitives<\/strong>\u00a0in the browser.<\/p>\n\n\n\n

Exploiting the Stored XSS <\/strong><\/strong>Vulnerability<\/strong><\/h2>\n\n\n\n

To exploit CVE-2026-3231<\/strong>, an attacker without any cookies:<\/p>\n\n\n\n

\n

POC<\/strong>:<\/p>\n\n\n\n

Send following payload in a field \"Radio\" type:\n\"thwcfe-additional-fields\":{\"contact\":{\"test\":\"<select onchange=alert(document.domain)><option>CLICK ME<\/option><option>WTF<\/option><\/select>\"}}},<\/code><\/pre>\n\n\n\n
____<\/p>\n<\/blockquote>\n\n\n\n
The most serious scenario is administrator compromise. If an unauthenticated attacker can inject a payload during checkout, they can effectively plant a trap that will execute when staff processes orders. Even if the payload requires interaction like changing a selection, order processing often involves clicking through and interacting with controls, so the trigger is realistic. From there the attacker can perform actions that look like the administrator did them, which can include changing store settings, altering payout destinations, creating new accounts, or installing backdoors, depending on the environment. A second scenario is customer targeting. If the malicious HTML is also shown in customer order pages or emails, the attacker can weaponize it for phishing or browser exploitation against shoppers. The business impact can be immediate because WooCommerce stores are revenue generating systems, so any admin takeover or payment redirection event can cause direct financial loss. The stealth property is also important because stored XSS can remain dormant until an order is opened, which can delay detection and make incident response harder.<\/p>\n\n\n\n
Recommendations for Improved Security<\/strong><\/strong><\/h2>\n\n\n\n
The fix must focus on restoring a correct output encoding strategy. The plugin should remove\u00a0html_entity_decode<\/code>\u00a0from the rendering path for any untrusted stored values, because decoding after escaping recreates active HTML. If the goal is to show a human readable label for radio options, it should be rendered as plain text using a single safe encoding function and never treated as markup. The wp_kses allow list should be hardened, and event handler attributes such as onchange should never be permitted on any element that can contain attacker controlled content. In addition, input validation should be applied at the time of storage, ensuring that checkout field values for radio options are stored as scalar safe strings without markup, and that Store API payloads are validated server side to prevent tampering. Store owners should patch as soon as a fixed version is available, and they should consider temporarily disabling Block Checkout custom radio field rendering in order views if that is feasible, because the highest risk comes from the privileged admin order context. Finally, add monitoring for suspicious markup in order meta and review recent orders for unexpected tags like select, script, svg, or event attributes, because early detection can prevent an eventual admin session compromise.<\/p>\n\n\n\n
\n
By taking proactive measures to address Stored XSS <\/strong><\/strong><\/strong> like CVE-2026-3231<\/strong> WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.<\/p>\n\n\n\n
#WordPressSecurity #StoredXSS<\/strong><\/strong><\/strong> #WebsiteSafety #StayProtected #HighVulnerability<\/p>\n\n\n\n
Use CleanTalk <\/a>solutions to improve the security of your website<\/strong><\/p>\nDmitrii I.<\/cite><\/blockquote>\n","protected":false},"excerpt":{"rendered":"
CVE-2026-3231 affects Checkout Field Editor Checkout Manager for WooCommerce and it is an unauthenticated stored cross site scripting vulnerability that can fire in high value contexts such as the WooCommerce admin order screen and customer order details. The reason this matters is that checkout fields sit directly on the boundary between untrusted shopper input and trusted back office workflows. If an attacker can store HTML that later executes in an administrator\u2019s browser, the impact quickly escalates from a cosmetic script popup into session theft and administrative actions performed in the background. With an install base around 500k plus, the vulnerable pattern is relevant for many production stores, especially those that use custom checkout fields to collect contact data, delivery preferences, or consent options.<\/p>\n","protected":false},"author":2,"featured_media":15,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,1],"tags":[],"class_list":["post-3517","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cve","category-security","","tg-column-two"],"yoast_head":"\nCVE-2026-3231\u00a0- Checkout Field Editor (Checkout Manager) for WooCommerce - Unauthenticated Stored XSS - POC - Plugin Security Certification (PSC) by CleanTalk<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/research.cleantalk.org\/cve-2026-3231\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CVE-2026-3231\u00a0- Checkout Field Editor (Checkout Manager) for WooCommerce - Unauthenticated Stored XSS - POC - Plugin Security Certification (PSC) by CleanTalk\" \/>\n<meta property=\"og:description\" content=\"CVE-2026-3231 affects Checkout Field Editor Checkout Manager for WooCommerce and it is an unauthenticated stored cross site scripting vulnerability that can fire in high value contexts such as the WooCommerce admin order screen and customer order details. The reason this matters is that checkout fields sit directly on the boundary between untrusted shopper input and trusted back office workflows. If an attacker can store HTML that later executes in an administrator\u2019s browser, the impact quickly escalates from a cosmetic script popup into session theft and administrative actions performed in the background. With an install base around 500k plus, the vulnerable pattern is relevant for many production stores, especially those that use custom checkout fields to collect contact data, delivery preferences, or consent options.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/research.cleantalk.org\/cve-2026-3231\/\" \/>\n<meta property=\"og:site_name\" content=\"Plugin Security Certification (PSC) by CleanTalk\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-11T06:56:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-11T06:56:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/research.cleantalk.org\/wp-content\/uploads\/2023\/10\/New_1_not_safe-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"750\" \/>\n\t<meta property=\"og:image:height\" content=\"750\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Dmitrii I\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dmitrii I\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/cve-2026-3231\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/cve-2026-3231\\\/\"},\"author\":{\"name\":\"Dmitrii I\",\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/#\\\/schema\\\/person\\\/c33902690394680520b3d4925861bc8b\"},\"headline\":\"CVE-2026-3231\u00a0– Checkout Field Editor (Checkout Manager) for WooCommerce – Unauthenticated Stored XSS – POC\",\"datePublished\":\"2026-03-11T06:56:27+00:00\",\"dateModified\":\"2026-03-11T06:56:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/cve-2026-3231\\\/\"},\"wordCount\":1027,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/cve-2026-3231\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/research.cleantalk.org\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/New_1_not_safe-1.png\",\"articleSection\":[\"CVE\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/research.cleantalk.org\\\/cve-2026-3231\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/cve-2026-3231\\\/\",\"url\":\"https:\\\/\\\/research.cleantalk.org\\\/cve-2026-3231\\\/\",\"name\":\"CVE-2026-3231\u00a0- Checkout Field Editor (Checkout Manager) for WooCommerce - Unauthenticated Stored XSS - POC - Plugin Security Certification (PSC) by CleanTalk\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/cve-2026-3231\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/cve-2026-3231\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/research.cleantalk.org\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/New_1_not_safe-1.png\",\"datePublished\":\"2026-03-11T06:56:27+00:00\",\"dateModified\":\"2026-03-11T06:56:28+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/#\\\/schema\\\/person\\\/c33902690394680520b3d4925861bc8b\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/cve-2026-3231\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/research.cleantalk.org\\\/cve-2026-3231\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/cve-2026-3231\\\/#primaryimage\",\"url\":\"https:\\\/\\\/research.cleantalk.org\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/New_1_not_safe-1.png\",\"contentUrl\":\"https:\\\/\\\/research.cleantalk.org\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/New_1_not_safe-1.png\",\"width\":750,\"height\":750},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/cve-2026-3231\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/research.cleantalk.org\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CVE-2026-3231\u00a0– Checkout Field Editor (Checkout Manager) for WooCommerce – Unauthenticated Stored XSS – POC\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/#website\",\"url\":\"https:\\\/\\\/research.cleantalk.org\\\/\",\"name\":\"Plugin Security Certification (PSC) by CleanTalk\",\"description\":\"Use only certified WordPress plugins for your website\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/research.cleantalk.org\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/research.cleantalk.org\\\/#\\\/schema\\\/person\\\/c33902690394680520b3d4925861bc8b\",\"name\":\"Dmitrii I\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5b981c578a4cae73adc5efd54512580e4b7086353982d1d1e5425a8652b94da6?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5b981c578a4cae73adc5efd54512580e4b7086353982d1d1e5425a8652b94da6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5b981c578a4cae73adc5efd54512580e4b7086353982d1d1e5425a8652b94da6?s=96&d=mm&r=g\",\"caption\":\"Dmitrii I\"},\"sameAs\":[\"https:\\\/\\\/blog.cleantalk.org\"],\"url\":\"https:\\\/\\\/research.cleantalk.org\\\/author\\\/dmitrii-ignatyev\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CVE-2026-3231\u00a0- Checkout Field Editor (Checkout Manager) for WooCommerce - Unauthenticated Stored XSS - POC - Plugin Security Certification (PSC) by CleanTalk","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/research.cleantalk.org\/cve-2026-3231\/","og_locale":"en_US","og_type":"article","og_title":"CVE-2026-3231\u00a0- Checkout Field Editor (Checkout Manager) for WooCommerce - Unauthenticated Stored XSS - POC - Plugin Security Certification (PSC) by CleanTalk","og_description":"CVE-2026-3231 affects Checkout Field Editor Checkout Manager for WooCommerce and it is an unauthenticated stored cross site scripting vulnerability that can fire in high value contexts such as the WooCommerce admin order screen and customer order details. The reason this matters is that checkout fields sit directly on the boundary between untrusted shopper input and trusted back office workflows. If an attacker can store HTML that later executes in an administrator\u2019s browser, the impact quickly escalates from a cosmetic script popup into session theft and administrative actions performed in the background. With an install base around 500k plus, the vulnerable pattern is relevant for many production stores, especially those that use custom checkout fields to collect contact data, delivery preferences, or consent options.","og_url":"https:\/\/research.cleantalk.org\/cve-2026-3231\/","og_site_name":"Plugin Security Certification (PSC) by CleanTalk","article_published_time":"2026-03-11T06:56:27+00:00","article_modified_time":"2026-03-11T06:56:28+00:00","og_image":[{"width":750,"height":750,"url":"https:\/\/research.cleantalk.org\/wp-content\/uploads\/2023\/10\/New_1_not_safe-1.png","type":"image\/png"}],"author":"Dmitrii I","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Dmitrii I","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/research.cleantalk.org\/cve-2026-3231\/#article","isPartOf":{"@id":"https:\/\/research.cleantalk.org\/cve-2026-3231\/"},"author":{"name":"Dmitrii I","@id":"https:\/\/research.cleantalk.org\/#\/schema\/person\/c33902690394680520b3d4925861bc8b"},"headline":"CVE-2026-3231\u00a0– Checkout Field Editor (Checkout Manager) for WooCommerce – Unauthenticated Stored XSS – POC","datePublished":"2026-03-11T06:56:27+00:00","dateModified":"2026-03-11T06:56:28+00:00","mainEntityOfPage":{"@id":"https:\/\/research.cleantalk.org\/cve-2026-3231\/"},"wordCount":1027,"commentCount":0,"image":{"@id":"https:\/\/research.cleantalk.org\/cve-2026-3231\/#primaryimage"},"thumbnailUrl":"https:\/\/research.cleantalk.org\/wp-content\/uploads\/2023\/10\/New_1_not_safe-1.png","articleSection":["CVE","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/research.cleantalk.org\/cve-2026-3231\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/research.cleantalk.org\/cve-2026-3231\/","url":"https:\/\/research.cleantalk.org\/cve-2026-3231\/","name":"CVE-2026-3231\u00a0- Checkout Field Editor (Checkout Manager) for WooCommerce - Unauthenticated Stored XSS - POC - Plugin Security Certification (PSC) by CleanTalk","isPartOf":{"@id":"https:\/\/research.cleantalk.org\/#website"},"primaryImageOfPage":{"@id":"https:\/\/research.cleantalk.org\/cve-2026-3231\/#primaryimage"},"image":{"@id":"https:\/\/research.cleantalk.org\/cve-2026-3231\/#primaryimage"},"thumbnailUrl":"https:\/\/research.cleantalk.org\/wp-content\/uploads\/2023\/10\/New_1_not_safe-1.png","datePublished":"2026-03-11T06:56:27+00:00","dateModified":"2026-03-11T06:56:28+00:00","author":{"@id":"https:\/\/research.cleantalk.org\/#\/schema\/person\/c33902690394680520b3d4925861bc8b"},"breadcrumb":{"@id":"https:\/\/research.cleantalk.org\/cve-2026-3231\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/research.cleantalk.org\/cve-2026-3231\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/research.cleantalk.org\/cve-2026-3231\/#primaryimage","url":"https:\/\/research.cleantalk.org\/wp-content\/uploads\/2023\/10\/New_1_not_safe-1.png","contentUrl":"https:\/\/research.cleantalk.org\/wp-content\/uploads\/2023\/10\/New_1_not_safe-1.png","width":750,"height":750},{"@type":"BreadcrumbList","@id":"https:\/\/research.cleantalk.org\/cve-2026-3231\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/research.cleantalk.org\/"},{"@type":"ListItem","position":2,"name":"CVE-2026-3231\u00a0– Checkout Field Editor (Checkout Manager) for WooCommerce – Unauthenticated Stored XSS – POC"}]},{"@type":"WebSite","@id":"https:\/\/research.cleantalk.org\/#website","url":"https:\/\/research.cleantalk.org\/","name":"Plugin Security Certification (PSC) by CleanTalk","description":"Use only certified WordPress plugins for your website","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/research.cleantalk.org\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/research.cleantalk.org\/#\/schema\/person\/c33902690394680520b3d4925861bc8b","name":"Dmitrii I","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5b981c578a4cae73adc5efd54512580e4b7086353982d1d1e5425a8652b94da6?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5b981c578a4cae73adc5efd54512580e4b7086353982d1d1e5425a8652b94da6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5b981c578a4cae73adc5efd54512580e4b7086353982d1d1e5425a8652b94da6?s=96&d=mm&r=g","caption":"Dmitrii I"},"sameAs":["https:\/\/blog.cleantalk.org"],"url":"https:\/\/research.cleantalk.org\/author\/dmitrii-ignatyev\/"}]}},"_links":{"self":[{"href":"https:\/\/research.cleantalk.org\/wp-json\/wp\/v2\/posts\/3517","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/research.cleantalk.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/research.cleantalk.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/research.cleantalk.org\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/research.cleantalk.org\/wp-json\/wp\/v2\/comments?post=3517"}],"version-history":[{"count":1,"href":"https:\/\/research.cleantalk.org\/wp-json\/wp\/v2\/posts\/3517\/revisions"}],"predecessor-version":[{"id":3519,"href":"https:\/\/research.cleantalk.org\/wp-json\/wp\/v2\/posts\/3517\/revisions\/3519"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/research.cleantalk.org\/wp-json\/wp\/v2\/media\/15"}],"wp:attachment":[{"href":"https:\/\/research.cleantalk.org\/wp-json\/wp\/v2\/media?parent=3517"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/research.cleantalk.org\/wp-json\/wp\/v2\/categories?post=3517"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/research.cleantalk.org\/wp-json\/wp\/v2\/tags?post=3517"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}