CVE-2026-9702 in InPost PL Plugin
Summary
by MITRE • 06/25/2026
The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability in the InPost PL WordPress plugin affects versions prior to 1.9.1 and represents a critical authorization flaw that undermines the integrity of WooCommerce order management processes. This issue stems from the plugin's failure to implement proper authentication checks when processing requests to modify parcel-locker destination information for WooCommerce orders. The absence of origin verification means that any unauthenticated attacker can manipulate shipping destinations without requiring valid credentials or authorization tokens, creating a significant security risk for e-commerce operations that rely on the plugin for delivery management.
The technical implementation flaw lies in the plugin's lack of request validation mechanisms that should verify the legitimacy of users attempting to modify order shipping information. According to CWE-863, this vulnerability manifests as an "Incorrect Authorization" issue where the system fails to properly authenticate and authorize users before permitting modifications to protected resources. The vulnerability operates at the application layer, specifically targeting the WooCommerce integration functionality within WordPress, and allows attackers to silently redirect orders from their intended recipients to arbitrary destinations without any audit trail or notification to legitimate users.
From an operational perspective, this vulnerability presents severe implications for businesses using the InPost PL plugin as it enables attackers to manipulate order delivery locations at will. The impact extends beyond simple redirection as malicious actors could potentially intercept packages, cause delivery delays, or even facilitate fraud by redirecting orders to unauthorized recipients. This type of attack aligns with ATT&CK technique T1078.004 which covers "Valid Accounts: Cloud Accounts" and demonstrates how unauthorized access to legitimate system functions can be exploited for operational disruption. The silent nature of the modification means that order fulfillment teams may not immediately detect the tampering, leading to potential customer dissatisfaction and financial losses.
The security implications of this vulnerability are particularly concerning given that it affects pending or processing orders which are in active workflow states. Attackers could target high-value orders or strategically time their attacks to maximize disruption during peak shipping periods. The lack of authentication verification creates a persistent risk that remains active until the plugin is updated to version 1.9.1 or later, making this an urgent remediation requirement for affected organizations. Organizations should implement immediate mitigations including plugin updates, network monitoring for suspicious API requests, and enhanced access controls for WooCommerce administration interfaces. The vulnerability underscores the importance of proper input validation and authentication mechanisms in e-commerce systems, particularly those handling sensitive transactional data and logistics information.