CVE-2026-9234 MEDIUM

CVE-2026-9234: JTL-Connector for WooCommerce <= 2.4.1 - Missing Authorization to Authenticated (Subscriber+) Settings Modification via Multiple Functions

Vendor Ntbyk
Product JTL-Connector for WooCommerce
Weakness CWE-862 · Missing authorization
Published June 2, 2026
Last update June 2, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector action (handled by JtlConnectorAdmin::save()) and on the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX actions (handled by the global downloadJTLLogs() and clearJTLLogs() functions). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings, download a ZIP archive of the connector's developer log files, and delete those log files.

Explanation of Vulnerability in Simple Terms

02Summary

The JTL-Connector for WooCommerce through version 2.4.1 lacks proper authorization checks, allowing authenticated users with low privileges to modify data they should not have access to. An attacker with a basic user account can alter information without proper permission validation. The vulnerability affects the plugin's core functionality and requires an active user account to exploit.

What an attacker can do

03Attacker Capabilities

Modify data in the plugin without proper authorization checks.

Potential impact on your site

04Site Impact

Unauthorized users can alter plugin data, potentially corrupting product information or connector settings.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated user account on the WooCommerce site.

Key dates

06Disclosure timeline

June 2, 2026 CVE published
June 2, 2026 Record updated

Related vulnerabilities

08Related CVE