Skip to main content

DHL WooCommerce Plugin CVE-2026-9235

| EUVDEUVD-2026-42565 MEDIUM
Missing Authorization (CWE-862)
2026-07-09 Wordfence GHSA-x7cc-jgf9-8v48
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L confirmed by wp_ajax_ login requirement; A:L added over vendor score because label deletion directly disrupts order fulfillment availability.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 11:57 vuln.today
CVE Published
Jul 09, 2026 - 09:31 nvd
MEDIUM 4.3

DescriptionCVE.org

The DHL eCommerce (Benelux) for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check and missing nonce verification on the create_label() and delete_label() functions in versions up to, and including, 2.2.3. These functions are wired to the wp_ajax_dhlpwc_label_create and wp_ajax_dhlpwc_label_delete hooks and act on an attacker-supplied post_id (WooCommerce order ID). This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete DHL shipping labels associated with any WooCommerce order on the site.

AnalysisAI

Unauthorized shipping label manipulation in DHL eCommerce (Benelux) for WooCommerce versions up to 2.2.3 allows any authenticated WordPress user - down to Subscriber level - to create or delete DHL shipping labels for any WooCommerce order site-wide. The two vulnerable AJAX handlers lack both capability verification and nonce (CSRF token) checks, meaning the attacker-supplied order ID is acted upon without confirming the caller has order management rights. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain Subscriber-level account
Delivery
Enumerate WooCommerce order post_id values
Exploit
Craft POST to /wp-admin/admin-ajax.php with dhlpwc_label_create or dhlpwc_label_delete action
Execution
Bypass missing capability and nonce checks
Persist
Create or delete DHL label on arbitrary order
Impact
Disrupt fulfillment or enable shipping fraud

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold any authenticated WordPress account at Subscriber level or above - the wp_ajax_ hook family blocks unauthenticated callers entirely, so sites with no user registration or account creation are not directly exploitable without first obtaining credentials. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-aligned CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N appropriately flags the low privilege barrier but may underrepresent operational impact: deleting DHL shipping labels disrupts order fulfillment workflows, which is a stronger availability concern than the A:N metric reflects. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free customer account on a WooCommerce store using the vulnerable plugin, then sends a crafted POST request to /wp-admin/admin-ajax.php with action=dhlpwc_label_delete and a sequential or enumerated post_id corresponding to another customer's order. Because no nonce or capability check is performed, the plugin deletes the DHL shipping label for that order, disrupting fulfillment and potentially triggering re-shipment fraud or denial of service across the store's order queue. …
Remediation Update the DHL eCommerce (Benelux) for WooCommerce plugin to the version incorporating changeset 3575375 from the WordPress plugin repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3575375%40dhlpwc&new=3575375%40dhlpwc); the exact released patched version number is not confirmed from available data and should be verified on the WordPress plugin page or the Wordfence advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy