PT-2026-52214 · Undefined · Undefined
Pedro Pinho
·
Published
2026-06-25
·
Updated
2026-06-25
·
CVE-2026-9702
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.
Exploit
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Undefined