Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Remote, unauthenticated, no interaction (AV:N/AC:L/PR:N/UI:N); impact is integrity-only order-data tampering (I:H), with no confidentiality or availability effect.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.
Articles & Coverage 1
AnalysisAI
Order shipping-destination tampering in the InPost PL WooCommerce plugin (versions before 1.9.1) lets unauthenticated remote attackers silently change the parcel-locker delivery point of any order still in 'pending' or 'processing' status, because the plugin never verifies the request comes from the legitimate buyer. Publicly available exploit code exists and a vendor patch has been released, though this is not listed in CISA KEV (no public exploit identified as actively exploited at time of analysis beyond the published POC). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target WooCommerce site to run the InPost PL plugin at a version below 1.9.1 with the parcel-locker destination feature in use, and a victim order that is in 'pending' or 'processing' status (already-shipped/completed orders are out of scope). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent toward a genuine but bounded threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates or references an order ID on a WooCommerce store running InPost PL and, without logging in, sends a crafted request that updates the order's parcel-locker destination to a locker the attacker controls. Because no buyer-identity or origin check is performed, the change is accepted silently; when the merchant fulfills the still-pending order, the physical goods are routed to the attacker's pickup point. … |
| Remediation | Update the InPost PL plugin to version 1.9.1 or later (Vendor-released patch: 1.9.1), which adds verification that destination-update requests originate from the legitimate buyer. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all pending and processing orders for unexpected shipping-destination changes, prioritizing high-value shipments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39188
GHSA-m6v8-34fj-w7jx