Impact
The InPost PL WordPress plugin before version 1.9.1 lacks a check to confirm that the request originates from the legitimate buyer, allowing an unauthenticated attacker to change the parcel‑locker destination on any pending or processing WooCommerce order. This flaw can result in packages being shipped to an attacker‑controlled address, undermining customer trust and potentially causing financial loss.
Affected Systems
WordPress sites that use the InPost PL plugin with a version earlier than 1.9.1 are affected. All sites that enable WooCommerce orders with the InPost plugin are at risk until the plugin is upgraded to 1.9.1 or later.
Risk and Exploitability
The vulnerability can be exploited remotely by sending a crafted request to the order update endpoint; authentication is not required. The CVSS score of 7.5 indicates high severity, and the EPSS score is < 1 %, suggesting a low but non‑zero likelihood of exploitation in the wild. The vulnerability is not listed in CISA KEV, but the absence of request validation makes it feasible for attackers to find the flaw in real systems. The likely attack vector is a direct HTTP request to the plugin’s parcel‑locker update interface, reachable from the public web.
OpenCVE Enrichment