Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Subscriber-level authentication (PR:L) and admin page-view (UI:R) are required; scope change reflects XSS executing in admin browser context.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Subscriber Cross Site Scripting (XSS) in Shipment Tracker for Woocommerce <= 1.5.3.2 versions.
AnalysisAI
Stored Cross-Site Scripting in the Shipment Tracker for WooCommerce WordPress plugin (versions up to and including 1.5.3.2) allows authenticated subscriber-level users to inject malicious scripts that execute in a privileged user's browser session. The CVSS scope-change flag (S:C) indicates the injected payload crosses into the administrator's browser context, enabling session hijacking, credential theft, or unauthorized admin actions. Reported by Patchstack with no public exploit code identified at time of analysis and no CISA KEV listing.
Technical ContextAI
The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), the canonical stored XSS weakness class. The affected component is a WooCommerce plugin developed by Amit Mittal (CPE: cpe:2.3:a:amit_mittal:shipment_tracker_for_woocommerce:*:*:*:*:*:*:*:*), which extends WooCommerce order management with shipment tracking data fields. The XSS occurs because subscriber-supplied tracking data - likely shipment notes, tracking numbers, or carrier fields - is stored in the database and later rendered without proper output encoding or sanitization in an administrative view. WordPress subscriber accounts are the lowest authenticated role and typically map to standard customer accounts in WooCommerce storefronts, making the attack surface broad for any site accepting orders.
RemediationAI
The primary remediation is to update the Shipment Tracker for WooCommerce plugin to a version beyond 1.5.3.2; however, no specific patched release version is confirmed in the available data - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/shipment-tracker-for-woocommerce/vulnerability/wordpress-shipment-tracker-for-woocommerce-plugin-1-5-3-2-cross-site-scripting-xss-vulnerability and the WordPress plugin repository for the latest release. If no patched version is yet available, the most effective compensating control is to disable subscriber-level user registration on the WordPress site (Settings > General > uncheck 'Anyone can register'), which removes the low-privilege entry point. Alternatively, restrict submission of shipment tracking data to roles of Shop Manager or higher until a fix is applied - note this may disrupt customer self-service workflows. Installing a WordPress WAF (e.g., Wordfence, Patchstack Shield) with XSS rules can provide partial mitigation but should not substitute for patching.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36964
GHSA-xqc3-7rmw-qh94