What the vulnerability does
01Description
The DHL eCommerce (Benelux) for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check and missing nonce verification on the create_label() and delete_label() functions in versions up to, and including, 2.2.3. These functions are wired to the wp_ajax_dhlpwc_label_create and wp_ajax_dhlpwc_label_delete hooks and act on an attacker-supplied post_id (WooCommerce order ID). This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete DHL shipping labels associated with any WooCommerce order on the site.
Explanation of Vulnerability in Simple Terms
02Summary
The DHL eCommerce (Benelux) for WooCommerce plugin through version 2.2.3 does not properly check user permissions before allowing certain actions. A logged-in user with low privileges can modify data they should not have access to, such as shipping settings or order information. Site owners should update to a version newer than 2.2.3 to prevent unauthorized changes.
What an attacker can do
03Attacker Capabilities
A logged-in user can modify shipping or order data they should not have access to.
Potential impact on your site
04Site Impact
Unauthorized users may alter shipping settings, order details, or other protected plugin data.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the site (e.g., customer or subscriber role).
Key dates
06Disclosure timeline
July 9, 2026
CVE published
July 9, 2026
Record updated