Shipment Tracker for Woocommerce < 1.5.3.3 – Authenticated (Subscriber+) Stored Cross-Site Scripting | CVE 2026-39540 | Plugin Vulnerabilities

Description

The Shipment Tracker for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.5.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

shipment-tracker-for-woocommerce

Fixed in 1.5.3.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f84660c8-9dfc-4c1d-9585-edb3b28f1858

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Ba Khanh

Verified

No

WPVDB ID

d226f5f6-d89f-4d0e-b879-18ca0a8bb748

Timeline

Publicly Published

2026-04-16 (about 1 month ago)

Added

2026-04-21 (about 1 month ago)

Last Updated

2026-04-21 (about 1 month ago)

Other

Published

Title

Published

2025-02-03

Title

Upcasted S3 Offload – AWS S3, Digital Ocean Spaces, Backblaze, Minio and more < 3.0.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2023-01-19

Title

Theme Blvd Responsive Google Maps <= 1.0.2 - Contributor+ XSS

Published

2026-02-26

Title

Xpro Addons — 140+ Widgets for Elementor < 1.4.25 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Scroller Widget box link

Published

2022-12-21

Title

JetWidgets For Elementor < 1.0.14 - Contributor+ Stored XSS via Shortcode

Published

2024-02-05

Title

WP 404 Auto Redirect to Similar Post < 1.0.4 - Reflected Cross-Site Scripting via request