Orders Tracking for WooCommerce < 1.2.11 – Unauthenticated Arbitrary Shortcode Execution | CVE 2024-4039 | Plugin Vulnerabilities

Description

The The Orders Tracking for WooCommerce plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.10. This is due to the plugin allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. A partial patch was released in 1.2.10, and a complete patch was released in 1.2.11.

Affects Plugins

woo-orders-tracking

Fixed in 1.2.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/991ab188-869c-4875-80f3-940000a1717b

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter

Verified

No

WPVDB ID

70676d07-5485-489f-8b88-cbed09ba8ec4

Timeline

Publicly Published

2024-05-09 (about 2 years ago)

Added

2024-05-09 (about 2 years ago)

Last Updated

2024-05-09 (about 2 years ago)

Other

Published

Title

Published

2026-04-03

Title

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress < 4.16.12 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields

Published

2025-09-22

Title

Advanced Views < 3.7.20 - Author+ Remote Code Execution via SSTI

Published

2021-03-16

Title

WP Super Cache < 1.7.2 - Authenticated Remote Code Execution (RCE)

Published

2025-09-22

Title

WPCasa < 1.4.2 - Unauthenticated Code Injection

Published

2025-09-22

Title

AWP Classifieds <= 4.4.3 - Unauthenticated Arbitrary Shortcode Execution