Description
The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.
Published: 2026-06-25
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The InPost PL WordPress plugin prior to version 1.9.1 allows an unauthenticated attacker to update the WooCommerce order parcel-locker destination for any pending or processing order. This flaw means that a malicious user can silently change where a package will be shipped, potentially causing delivery to the wrong address or to an attacker-controlled location. The attack does not require authentication or privileged accounts, leading to a loss of customer trust and possible financial loss due to misdirected shipments.

Affected Systems

WordPress sites using the InPost PL plugin with a version earlier than 1.9.1 are affected. The vulnerability exists in the plugin’s endpoint that processes parcel‑locker updates and does not validate the request origin or the user’s permissions. Any site that enables WooCommerce orders with the InPost plugin is at risk unless the plugin is upgraded to 1.9.1 or later.

Risk and Exploitability

The flaw can be exploited remotely simply by accessing the order update endpoint, as it does not require authentication. While no CVSS score is published, the impact on delivery logistics and potential financial damage would be considered high. The EPSS score is not listed and the vulnerability is not in the CISA KEV catalog, but the lack of defensive checks makes it highly likely that attackers could find and use the vulnerability in the wild.

Generated by OpenCVE AI on June 25, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the InPost PL plugin to version 1.9.1 or later.
  • If an immediate update is not possible, block unauthenticated access to the order parcel‑locker update endpoint using a firewall rule or a security plugin that restricts this action to authenticated users.
  • Review and harden any custom code that interacts with WooCommerce order shipping information to ensure it only accepts requests from verified customers or administrators.

Generated by OpenCVE AI on June 25, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639

Thu, 25 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.
Title InPost PL < 1.9.1 - Unauthenticated WooCommerce Order Parcel-Locker Hijacking
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-25T06:00:02.239Z

Reserved: 2026-05-27T12:27:44.505Z

Link: CVE-2026-9702

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T07:30:17Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key