CVE-2026-9702
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer, allowing unauthenticated attackers to silently redirect the shipping destination of WooCommerce orders.
Risk Assessment
Attackers can change the shipping destination of orders, leading to potential financial losses and a breach of customer trust.
Recommendation
It is recommended to update the InPost PL plugin to version 1.9.1 or later to mitigate this vulnerability.
Original NVD description (English source)
The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.

