CVE-2026-9702

HIGH 7.5

InPost PL < 1.9.1 - Unauthenticated WooCommerce Order Parcel-Locker Hijacking

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.

Vendor	unknown
Product	inpost pl
Published	Jun 25, 2026
Last Updated	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for unknown inpost pl

Be the first to know when new high vulnerabilities affecting unknown inpost pl are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / InPost PL

0 < 1.9.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/79b27813-3d75-46a3-98d3-e6d8eb8ad467/

Credits

Pedro Pinho WPScan