Skip to main content

InPost PL EUVDEUVD-2026-39188

| CVE-2026-9702 HIGH
2026-06-25 WPScan GHSA-m6v8-34fj-w7jx
7.5
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Remote, unauthenticated, no interaction (AV:N/AC:L/PR:N/UI:N); impact is integrity-only order-data tampering (I:H), with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 13:23 vuln.today
CVSS changed
Jun 25, 2026 - 13:22 NVD
7.5 (HIGH)
Patch available
Jun 25, 2026 - 08:01 EUVD
CVE Published
Jun 25, 2026 - 06:00 cve.org
HIGH 7.5
CVE Published
Jun 25, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.

AnalysisAI

Order shipping-destination tampering in the InPost PL WooCommerce plugin (versions before 1.9.1) lets unauthenticated remote attackers silently change the parcel-locker delivery point of any order still in 'pending' or 'processing' status, because the plugin never verifies the request comes from the legitimate buyer. Publicly available exploit code exists and a vendor patch has been released, though this is not listed in CISA KEV (no public exploit identified as actively exploited at time of analysis beyond the published POC). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify store running InPost PL
Delivery
Reference pending/processing order ID
Exploit
Send unauthenticated destination-update request
Execution
Server accepts without buyer verification
Persist
Order shipping rerouted to attacker locker
Impact
Merchant ships goods to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires the target WooCommerce site to run the InPost PL plugin at a version below 1.9.1 with the parcel-locker destination feature in use, and a victim order that is in 'pending' or 'processing' status (already-shipped/completed orders are out of scope). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent toward a genuine but bounded threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates or references an order ID on a WooCommerce store running InPost PL and, without logging in, sends a crafted request that updates the order's parcel-locker destination to a locker the attacker controls. Because no buyer-identity or origin check is performed, the change is accepted silently; when the merchant fulfills the still-pending order, the physical goods are routed to the attacker's pickup point. …
Remediation Update the InPost PL plugin to version 1.9.1 or later (Vendor-released patch: 1.9.1), which adds verification that destination-update requests originate from the legitimate buyer. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all pending and processing orders for unexpected shipping-destination changes, prioritizing high-value shipments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39188 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy