CVE Catalog

CVE-2026-9702

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

3th percentile — higher than 3% of all known CVEs

Summary

The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer, allowing unauthenticated attackers to silently redirect the shipping destination of WooCommerce orders.

Risk Assessment

Attackers can change the shipping destination of orders, leading to potential financial losses and a breach of customer trust.

Recommendation

It is recommended to update the InPost PL plugin to version 1.9.1 or later to mitigate this vulnerability.

Original NVD description (English source)

The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS