Description
The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The InPost PL WordPress plugin before version 1.9.1 lacks a check to confirm that the request originates from the legitimate buyer, allowing an unauthenticated attacker to change the parcel‑locker destination on any pending or processing WooCommerce order. This flaw can result in packages being shipped to an attacker‑controlled address, undermining customer trust and potentially causing financial loss.

Affected Systems

WordPress sites that use the InPost PL plugin with a version earlier than 1.9.1 are affected. All sites that enable WooCommerce orders with the InPost plugin are at risk until the plugin is upgraded to 1.9.1 or later.

Risk and Exploitability

The vulnerability can be exploited remotely by sending a crafted request to the order update endpoint; authentication is not required. The CVSS score of 7.5 indicates high severity, and the EPSS score is < 1 %, suggesting a low but non‑zero likelihood of exploitation in the wild. The vulnerability is not listed in CISA KEV, but the absence of request validation makes it feasible for attackers to find the flaw in real systems. The likely attack vector is a direct HTTP request to the plugin’s parcel‑locker update interface, reachable from the public web.

Generated by OpenCVE AI on June 25, 2026 at 16:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the InPost PL plugin to version 1.9.1 or later.
  • If an immediate update is not possible, block unauthenticated access to the order parcel‑locker update endpoint using a firewall rule or a security plugin that restricts this action to authenticated users.
  • Review and harden any custom code that interacts with WooCommerce order shipping information to ensure it only accepts requests from verified customers or administrators.

Generated by OpenCVE AI on June 25, 2026 at 16:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Inpost Pl
Inpost Pl inpost Pl
Wordpress
Wordpress wordpress
Vendors & Products Inpost Pl
Inpost Pl inpost Pl
Wordpress
Wordpress wordpress

Thu, 25 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639

Thu, 25 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.
Title InPost PL < 1.9.1 - Unauthenticated WooCommerce Order Parcel-Locker Hijacking
References

Subscriptions

Inpost Pl Inpost Pl
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-25T12:35:25.054Z

Reserved: 2026-05-27T12:27:44.505Z

Link: CVE-2026-9702

cve-icon Vulnrichment

Updated: 2026-06-25T12:33:39.960Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:38:28Z

Weaknesses