PT-2026-56788 · Dhlparcel · Dhl Ecommerce (Benelux) For Woocommerce
Muhan Luo
·
Published
2026-07-09
·
Updated
2026-07-09
·
CVE-2026-9235
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
The DHL eCommerce (Benelux) for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check and missing nonce verification on the create label() and delete label() functions in versions up to, and including, 2.2.3. These functions are wired to the wp ajax dhlpwc label create and wp ajax dhlpwc label delete hooks and act on an attacker-supplied post id (WooCommerce order ID). This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete DHL shipping labels associated with any WooCommerce order on the site.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dhl Ecommerce (Benelux) For Woocommerce