cleantalk
Vulnerabilities and Security Researches

Order Tracking – WordPress Status Tracking Plugin, CVE-2023-4500

CVE, Research URL

CVE-2023-4500

Home page URL

Security reports for Order Tracking – WordPress Status Tracking Plugin

Application

Order Tracking – WordPress Status Tracking Plugin

Published on
Aug 31, 2023
Research Description
The Order Tracking Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the order status parameter in versions up to, and including, 3.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers (admin or higher) to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 3.3.7.
Status
vulnerable
Previous vulnerability researches
MIMO Woocommerce Order Tracking (CVE-2024-5769) , Jan 10, 2025
MIMO Woocommerce Order Tracking (CVE-2024-5768) , Jun 20, 2024
Order Tracking – WordPress Status Tracking Plugin (CVE-2024-43343) , Aug 20, 2024
Order Tracking – WordPress Status Tracking Plugin (CVE-2026-39602) , Apr 13, 2026
Order Tracking – WordPress Status Tracking Plugin (0f8e0ae795486b0420f4812986aa8158cc3e041c) , Jun 07, 2024
New vulnerability
Collect.chat – Chatbot ⚡️ (CVE-2026-0736) , Apr 15, 2026
SQL Chart Builder (CVE-2026-4079) , Apr 15, 2026
FastDup – Fastest WordPress Migration & Duplicator (CVE-2026-1104) , Apr 15, 2026
Timeline Block (CVE-2026-1228) , Apr 15, 2026
Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress (CVE-2026-3180) , Apr 15, 2026