What the vulnerability does
01Description
The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector action (handled by JtlConnectorAdmin::save()) and on the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX actions (handled by the global downloadJTLLogs() and clearJTLLogs() functions). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings, download a ZIP archive of the connector's developer log files, and delete those log files.
Explanation of Vulnerability in Simple Terms
02Summary
The JTL-Connector for WooCommerce through version 2.4.1 lacks proper authorization checks, allowing authenticated users with low privileges to modify data they should not have access to. An attacker with a basic user account can alter information without proper permission validation. The vulnerability affects the plugin's core functionality and requires an active user account to exploit.
What an attacker can do
03Attacker Capabilities
Modify data in the plugin without proper authorization checks.
Potential impact on your site
04Site Impact
Unauthorized users can alter plugin data, potentially corrupting product information or connector settings.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege authenticated user account on the WooCommerce site.
Key dates
06Disclosure timeline
June 2, 2026
CVE published
June 2, 2026
Record updated