← back
CVE-2026-9702

InPost PL < 1.9.1 - Unauthenticated WooCommerce Order Parcel-Locker Hijacking

CVSS 7.5 HIGHEPSS 0.1%
The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected products
Unknown · InPost PL
public PoCs found1
cve_referencewpscan.com/vulnerability/79b27813-3d75-46a3-98d3-e6d8eb8ad467/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/79b27813-3d75-46a3-98d3-e6d8eb8ad467/