CVE-2024-4039: CWE-94 Improper Control of Generation of Code ('Code Injection') in villatheme Orders Tracking for WooCommerce
The The Orders Tracking for WooCommerce plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.10. This is due to the plugin allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. A partial patch was released in 1.2.10, and a complete patch was released in 1.2.11.
AI Analysis
Technical Summary
CVE-2024-4039 is a code injection vulnerability (CWE-94) in the Orders Tracking for WooCommerce plugin for WordPress. The plugin improperly controls the generation of code by allowing unauthenticated users to execute arbitrary shortcodes via an action that does not validate input before calling do_shortcode. This vulnerability exists in all versions up to and including 1.2.10. The vendor released a partial fix in version 1.2.10 and a complete fix in 1.2.11, addressing the improper validation and preventing arbitrary shortcode execution.
Potential Impact
Exploitation allows unauthenticated attackers to execute arbitrary shortcodes, which can lead to limited confidentiality and integrity impacts within the WordPress environment. There is no indication of availability impact. The CVSS score of 6.5 (medium severity) reflects the network attack vector with low complexity and no privileges or user interaction required.
Mitigation Recommendations
Users should upgrade to version 1.2.11 or later, where a complete patch for this vulnerability has been applied. Versions up to 1.2.10 contain either no fix or only a partial fix and remain vulnerable. No other mitigations are specifically indicated by the vendor advisory.
CVE-2024-4039: CWE-94 Improper Control of Generation of Code ('Code Injection') in villatheme Orders Tracking for WooCommerce
Description
The The Orders Tracking for WooCommerce plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.10. This is due to the plugin allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. A partial patch was released in 1.2.10, and a complete patch was released in 1.2.11.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-4039 is a code injection vulnerability (CWE-94) in the Orders Tracking for WooCommerce plugin for WordPress. The plugin improperly controls the generation of code by allowing unauthenticated users to execute arbitrary shortcodes via an action that does not validate input before calling do_shortcode. This vulnerability exists in all versions up to and including 1.2.10. The vendor released a partial fix in version 1.2.10 and a complete fix in 1.2.11, addressing the improper validation and preventing arbitrary shortcode execution.
Potential Impact
Exploitation allows unauthenticated attackers to execute arbitrary shortcodes, which can lead to limited confidentiality and integrity impacts within the WordPress environment. There is no indication of availability impact. The CVSS score of 6.5 (medium severity) reflects the network attack vector with low complexity and no privileges or user interaction required.
Mitigation Recommendations
Users should upgrade to version 1.2.11 or later, where a complete patch for this vulnerability has been applied. Versions up to 1.2.10 contain either no fix or only a partial fix and remain vulnerable. No other mitigations are specifically indicated by the vendor advisory.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-04-22T18:56:40.286Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b80b7ef31ef0b556041
Added to database: 2/25/2026, 9:37:04 PM
Last enriched: 4/9/2026, 2:26:46 PM
Last updated: 4/12/2026, 1:37:54 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.