PT-2026-56788 · Dhlparcel · Dhl Ecommerce (Benelux) For Woocommerce
Muhan Luo
·
Publicado
2026-07-09
·
Atualizado
2026-07-09
·
CVE-2026-9235
CVSS v3.1
4.3
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
The DHL eCommerce (Benelux) for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check and missing nonce verification on the create label() and delete label() functions in versions up to, and including, 2.2.3. These functions are wired to the wp ajax dhlpwc label create and wp ajax dhlpwc label delete hooks and act on an attacker-supplied post id (WooCommerce order ID). This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete DHL shipping labels associated with any WooCommerce order on the site.
Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Dhl Ecommerce (Benelux) For Woocommerce