CVE-2026-9234
Description
The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector action (handled by JtlConnectorAdmin::save()) and on the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX actions (handled by the global downloadJTLLogs() and clearJTLLogs() functions). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings, download a ZIP archive of the connector's developer log files, and delete those log files.
Affected products
1- Range: <=2.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to properly check user capabilities and verify nonces before executing sensitive administrative actions."
Attack vector
An authenticated attacker with at least Subscriber-level access can exploit this vulnerability. By sending specially crafted requests to specific AJAX actions or admin post requests, the attacker can bypass authorization checks. This allows them to modify plugin settings, download log files, or delete log files without possessing the necessary administrative privileges [ref_id=1]. The vulnerability affects the `admin_post_settings_save_woo-jtl-connector` action, as well as the `wp_ajax_downloadJTLLogs` and `wp_ajax_clearJTLLogs` AJAX actions [ref_id=1].
Affected code
The vulnerability resides in the JTL-Connector for WooCommerce plugin. Specifically, it affects the `JtlConnectorAdmin::save()` method, which handles the `admin_post_settings_save_woo-jtl-connector` action, and the global functions `downloadJTLLogs()` and `clearJTLLogs()`, which are hooked to `wp_ajax_downloadJTLLogs` and `wp_ajax_clearJTLLogs` respectively [ref_id=1].
What the fix does
The patch is not provided in the bundle. However, the advisory indicates that the vulnerability is addressed by implementing proper capability checks and nonce verification for the affected actions. This ensures that only users with sufficient privileges can execute these sensitive operations, thereby mitigating the risk of unauthorized access and modification of plugin settings or log files.
Preconditions
- authThe attacker must be authenticated with at least Subscriber-level access.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/includes/JtlConnectorAdmin.phpnvd
- plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/includes/JtlConnectorAdmin.phpnvd
- plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/woo-jtl-connector.phpnvd
- plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/woo-jtl-connector.phpnvd
- plugins.trac.wordpress.org/browser/woo-jtl-connector/tags/2.4.1/woo-jtl-connector.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/1475f3c4-b1ff-422c-a832-f6261361c240nvd
News mentions
1- WordPress: 25 Vulnerabilities Disclosed Together on June 2, 2026Vypr Intelligence · Jun 2, 2026