Skip to main content

JTL-Connector CVE-2026-9234

| EUVDEUVD-2026-33886 MEDIUM
Missing Authorization (CWE-862)
2026-06-02 Wordfence GHSA-vjg8-cqg5-hg64
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 02, 2026 - 08:50 vuln.today
CVE Published
Jun 02, 2026 - 07:48 nvd
MEDIUM 4.3

DescriptionCVE.org

The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector action (handled by JtlConnectorAdmin::save()) and on the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX actions (handled by the global downloadJTLLogs() and clearJTLLogs() functions). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings, download a ZIP archive of the connector's developer log files, and delete those log files.

AnalysisAI

Missing authorization controls in the JTL-Connector for WooCommerce WordPress plugin (all versions through 2.4.1) allow authenticated attackers holding only Subscriber-level access to invoke three unprotected server-side actions: modifying arbitrary plugin settings, downloading a ZIP archive of developer log files, and deleting those logs. The root cause is the complete absence of WordPress capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector handler and the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX handlers. No public exploit has been identified at time of analysis, and no patched version is confirmed in the available data.

Technical ContextAI

The vulnerability is classified as CWE-862 (Missing Authorization), affecting the WordPress plugin identified by CPE cpe:2.3:a:ntbyk:jtl-connector_for_woocommerce:*:*:*:*:*:*:*:*. WordPress enforces authorization on admin and AJAX actions through two mechanisms: capability checks via current_user_can() and nonce tokens to prevent CSRF. The three affected handlers - JtlConnectorAdmin::save() registered on admin_post_settings_save_woo-jtl-connector (source confirmed at JtlConnectorAdmin.php lines 574 and 3007), and the global functions downloadJTLLogs() and clearJTLLogs() registered on their respective wp_ajax_ hooks (woo-jtl-connector.php lines 161 and 221) - omit both protections entirely. Notably, WordPress reserves the wp_ajax_ hook prefix (without _nopriv_) for authenticated users only, which means unauthenticated exploitation is structurally blocked, but any logged-in user regardless of role can trigger these endpoints. The plugin facilitates ERP integration between JTL-Wawi and WooCommerce stores, meaning its configuration and log files may contain sensitive API keys or ERP connection parameters.

RemediationAI

No vendor-released patched version has been identified at time of analysis - all available references point to the vulnerable 2.4.1 codebase. Monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/1475f3c4-b1ff-422c-a832-f6261361c240) for patch availability and apply any released update immediately. As an interim compensating control, deactivating the JTL-Connector for WooCommerce plugin is the most effective measure, as it prevents WordPress from registering all three vulnerable action hooks entirely; the trade-off is loss of JTL-Wawi ERP synchronization. If deactivation is operationally unfeasible, disabling open user registration on the WordPress site (Settings > General > uncheck 'Anyone can register') raises the barrier by removing the easiest path to obtaining a Subscriber account, though it does not protect against attackers with existing accounts or compromised credentials. Additionally, restricting access to wp-admin/admin-post.php and wp-admin/admin-ajax.php at the network or WAF layer to known administrative IP ranges will block remote exploitation at the cost of potentially disrupting legitimate connector sync operations if those originate from dynamic IPs.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-9234 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy