Skip to main content

Inpost Pl

1 CVEs product

Monthly

CVE-2026-9702 HIGH POC PATCH This Week

Order shipping-destination tampering in the InPost PL WooCommerce plugin (versions before 1.9.1) lets unauthenticated remote attackers silently change the parcel-locker delivery point of any order still in 'pending' or 'processing' status, because the plugin never verifies the request comes from the legitimate buyer. Publicly available exploit code exists and a vendor patch has been released, though this is not listed in CISA KEV (no public exploit identified as actively exploited at time of analysis beyond the published POC). With CVSS 7.5 and an integrity-only impact, the practical risk is shipment redirection / parcel theft rather than data disclosure.

WordPress Information Disclosure Inpost Pl
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.1%
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Order shipping-destination tampering in the InPost PL WooCommerce plugin (versions before 1.9.1) lets unauthenticated remote attackers silently change the parcel-locker delivery point of any order still in 'pending' or 'processing' status, because the plugin never verifies the request comes from the legitimate buyer. Publicly available exploit code exists and a vendor patch has been released, though this is not listed in CISA KEV (no public exploit identified as actively exploited at time of analysis beyond the published POC). With CVSS 7.5 and an integrity-only impact, the practical risk is shipment redirection / parcel theft rather than data disclosure.

WordPress Information Disclosure Inpost Pl
NVD WPScan VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy