Skip to main content

Shipment Tracker WooCommerce CVE-2026-39540

| EUVDEUVD-2026-36964 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-xqc3-7rmw-qh94
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.5 MEDIUM

Subscriber-level authentication (PR:L) and admin page-view (UI:R) are required; scope change reflects XSS executing in admin browser context.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 23:11 vuln.today
CVE Published
Jun 15, 2026 - 20:18 cve.org
MEDIUM 6.5

DescriptionCVE.org

Subscriber Cross Site Scripting (XSS) in Shipment Tracker for Woocommerce <= 1.5.3.2 versions.

AnalysisAI

Stored Cross-Site Scripting in the Shipment Tracker for WooCommerce WordPress plugin (versions up to and including 1.5.3.2) allows authenticated subscriber-level users to inject malicious scripts that execute in a privileged user's browser session. The CVSS scope-change flag (S:C) indicates the injected payload crosses into the administrator's browser context, enabling session hijacking, credential theft, or unauthorized admin actions. Reported by Patchstack with no public exploit code identified at time of analysis and no CISA KEV listing.

Technical ContextAI

The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), the canonical stored XSS weakness class. The affected component is a WooCommerce plugin developed by Amit Mittal (CPE: cpe:2.3:a:amit_mittal:shipment_tracker_for_woocommerce:*:*:*:*:*:*:*:*), which extends WooCommerce order management with shipment tracking data fields. The XSS occurs because subscriber-supplied tracking data - likely shipment notes, tracking numbers, or carrier fields - is stored in the database and later rendered without proper output encoding or sanitization in an administrative view. WordPress subscriber accounts are the lowest authenticated role and typically map to standard customer accounts in WooCommerce storefronts, making the attack surface broad for any site accepting orders.

RemediationAI

The primary remediation is to update the Shipment Tracker for WooCommerce plugin to a version beyond 1.5.3.2; however, no specific patched release version is confirmed in the available data - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/shipment-tracker-for-woocommerce/vulnerability/wordpress-shipment-tracker-for-woocommerce-plugin-1-5-3-2-cross-site-scripting-xss-vulnerability and the WordPress plugin repository for the latest release. If no patched version is yet available, the most effective compensating control is to disable subscriber-level user registration on the WordPress site (Settings > General > uncheck 'Anyone can register'), which removes the low-privilege entry point. Alternatively, restrict submission of shipment tracking data to roles of Shop Manager or higher until a fix is applied - note this may disrupt customer self-service workflows. Installing a WordPress WAF (e.g., Wordfence, Patchstack Shield) with XSS rules can provide partial mitigation but should not substitute for patching.

Share

CVE-2026-39540 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy