Unauthorized Modification and Data Loss in DHL eCommerce Plugin for WooCommerce
CVE-2026-9235

4.3MEDIUM

What is CVE-2026-9235?

The DHL eCommerce (Benelux) plugin for WooCommerce contains vulnerabilities that allow authenticated users with Subscriber-level access and above to manipulate DHL shipping labels. Specifically, the create_label() and delete_label() functions lack necessary checks to validate user permissions. This oversight permits attackers to create or delete shipping labels associated with any WooCommerce order on the platform, thereby risking unauthorized modifications and potential data loss.

Affected Version(s)

DHL eCommerce (Benelux) for WooCommerce 0 <= 2.2.3

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhan Luo
.