Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
PR:L confirmed by wp_ajax_ login requirement; A:L added over vendor score because label deletion directly disrupts order fulfillment availability.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The DHL eCommerce (Benelux) for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check and missing nonce verification on the create_label() and delete_label() functions in versions up to, and including, 2.2.3. These functions are wired to the wp_ajax_dhlpwc_label_create and wp_ajax_dhlpwc_label_delete hooks and act on an attacker-supplied post_id (WooCommerce order ID). This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete DHL shipping labels associated with any WooCommerce order on the site.
AnalysisAI
Unauthorized shipping label manipulation in DHL eCommerce (Benelux) for WooCommerce versions up to 2.2.3 allows any authenticated WordPress user - down to Subscriber level - to create or delete DHL shipping labels for any WooCommerce order site-wide. The two vulnerable AJAX handlers lack both capability verification and nonce (CSRF token) checks, meaning the attacker-supplied order ID is acted upon without confirming the caller has order management rights. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold any authenticated WordPress account at Subscriber level or above - the wp_ajax_ hook family blocks unauthenticated callers entirely, so sites with no user registration or account creation are not directly exploitable without first obtaining credentials. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-aligned CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N appropriately flags the low privilege barrier but may underrepresent operational impact: deleting DHL shipping labels disrupts order fulfillment workflows, which is a stronger availability concern than the A:N metric reflects. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free customer account on a WooCommerce store using the vulnerable plugin, then sends a crafted POST request to /wp-admin/admin-ajax.php with action=dhlpwc_label_delete and a sequential or enumerated post_id corresponding to another customer's order. Because no nonce or capability check is performed, the plugin deletes the DHL shipping label for that order, disrupting fulfillment and potentially triggering re-shipment fraud or denial of service across the store's order queue. … |
| Remediation | Update the DHL eCommerce (Benelux) for WooCommerce plugin to the version incorporating changeset 3575375 from the WordPress plugin repository (https://plugins.trac.wordpress.org/changeset?reponame=&old=3575375%40dhlpwc&new=3575375%40dhlpwc); the exact released patched version number is not confirmed from available data and should be verified on the WordPress plugin page or the Wordfence advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42565
GHSA-x7cc-jgf9-8v48