Description
The DHL eCommerce (Benelux) for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check and missing nonce verification on the create_label() and delete_label() functions in versions up to, and including, 2.2.3. These functions are wired to the wp_ajax_dhlpwc_label_create and wp_ajax_dhlpwc_label_delete hooks and act on an attacker-supplied post_id (WooCommerce order ID). This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete DHL shipping labels associated with any WooCommerce order on the site.
Problem types
Product status
Any version
Timeline
| 2026-07-08: | Disclosed |
Credits
Muhan Luo
References
www.wordfence.com/...-3e38-4ff4-b53c-c7c35f1b956a?source=cve
plugins.trac.wordpress.org/...roller-admin-order-metabox.php
plugins.trac.wordpress.org/...roller-admin-order-metabox.php
plugins.trac.wordpress.org/...roller-admin-order-metabox.php
plugins.trac.wordpress.org/...%40dhlpwc&new=3575375%40dhlpwc