CVE-2026-9235 in DHL eCommerce for WooCommerce Plugin
Summary
by MITRE • 07/09/2026
The DHL eCommerce (Benelux) for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check and missing nonce verification on the create_label() and delete_label() functions in versions up to, and including, 2.2.3. These functions are wired to the wp_ajax_dhlpwc_label_create and wp_ajax_dhlpwc_label_delete hooks and act on an attacker-supplied post_id (WooCommerce order ID). This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete DHL shipping labels associated with any WooCommerce order on the site.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability in the DHL eCommerce (Benelux) for WooCommerce plugin represents a critical authorization flaw that undermines the security model of WordPress e-commerce installations. This issue affects versions up to and including 2.2.3, where the plugin fails to implement proper access controls for sensitive administrative functions. The flaw manifests through two primary endpoints: wp_ajax_dhlpwc_label_create and wp_ajax_dhlpwc_label_delete, which are designed to handle shipping label operations but lack essential security mechanisms that would normally prevent unauthorized manipulation of order data.
The technical implementation of this vulnerability stems from the absence of capability checks and nonce verification within the create_label() and delete_label() functions. These functions operate as AJAX handlers that receive attacker-supplied post_id parameters, which correspond to WooCommerce order IDs. Without proper authorization validation, any authenticated user with Subscriber-level privileges or higher can exploit these endpoints to manipulate shipping labels associated with orders throughout the site. The missing nonce verification further compounds the issue by eliminating protection against cross-site request forgery attacks, making it possible for attackers to execute malicious requests without user consent.
The operational impact of this vulnerability extends beyond simple data manipulation to encompass potential financial loss and service disruption within e-commerce environments. Attackers can create fraudulent shipping labels that may be used to bypass legitimate shipping processes or manipulate delivery information for competitive advantage. The ability to delete existing labels creates additional risks including the potential for disrupting customer orders, creating confusion in logistics operations, and enabling attackers to hide malicious activities by removing evidence of their actions. This vulnerability particularly affects businesses relying on DHL integration for order fulfillment, where shipping label integrity is crucial for maintaining customer trust and operational efficiency.
Security professionals should note this vulnerability aligns with CWE-863 (Incorrect Authorization) and represents a clear violation of the principle of least privilege in web application security. The issue also maps to ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) as it allows attackers to leverage existing user accounts to perform unauthorized actions within the system. Organizations should immediately implement mitigations including upgrading to patched versions of the plugin, implementing additional access controls through custom code if immediate updates are not possible, and monitoring for suspicious activity related to shipping label creation and deletion operations. The vulnerability demonstrates the critical importance of validating all user inputs and implementing proper authentication checks even for seemingly routine administrative functions within WordPress plugins.
This flaw exemplifies how third-party plugin vulnerabilities can create significant risks for e-commerce platforms, where the integrity of order processing and shipping information directly impacts business operations. The attack vector requires only minimal privileges, making it particularly dangerous as it can be exploited by users who have legitimate access to the site but should not possess administrative capabilities over shipping processes. Organizations should conduct comprehensive security assessments of their WordPress installations to identify similar vulnerabilities in other plugins that may lack proper authorization controls. The remediation process must include not just patching the specific vulnerability but also reviewing related functions within the plugin to ensure no additional authorization bypasses exist.