PT-2026-56788 · Dhlparcel · Dhl Ecommerce (Benelux) For Woocommerce

Muhan Luo

·

Published

2026-07-09

·

Updated

2026-07-09

·

CVE-2026-9235

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
The DHL eCommerce (Benelux) for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check and missing nonce verification on the create label() and delete label() functions in versions up to, and including, 2.2.3. These functions are wired to the wp ajax dhlpwc label create and wp ajax dhlpwc label delete hooks and act on an attacker-supplied post id (WooCommerce order ID). This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete DHL shipping labels associated with any WooCommerce order on the site.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9235

Affected Products

Dhl Ecommerce (Benelux) For Woocommerce