PatchSiren cyber security CVE debrief
CVE-2026-39540 Amit Mittal CVE debrief
A Subscriber Cross Site Scripting (XSS) vulnerability was discovered in Shipment Tracker for Woocommerce plugin versions up to 1.5.3.2. The vulnerability has been assigned a CVSS score of 6.5, indicating a medium severity level. The vulnerability allows a subscriber to inject malicious scripts into the application, potentially leading to unauthorized actions or data breaches.
- Vendor
- Amit Mittal
- Product
- Shipment Tracker for Woocommerce
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of Shipment Tracker for Woocommerce plugin versions up to 1.5.3.2 should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability is caused by inadequate input validation and sanitization, allowing an attacker to inject malicious scripts. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Shipment Tracker for Woocommerce plugin to a version that is not vulnerable.
- Implement additional security measures, such as input validation and sanitization, to prevent similar vulnerabilities.
Evidence notes
The vulnerability was reported by [email protected] and is documented in the CVE record.
Official resources
-
CVE-2026-39540 CVE record
CVE.org
-
CVE-2026-39540 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39540 was published on 2026-06-15T21:16:47.430Z and modified on 2026-06-15T21:24:32.790Z.