CVE-2026-9702 Overview
CVE-2026-9702 is a missing authorization vulnerability in the InPost PL WordPress plugin before version 1.9.1. The plugin fails to verify that requests to update the WooCommerce order parcel-locker destination originate from the legitimate buyer. Unauthenticated attackers can silently redirect the shipping destination of any pending or processing order on the affected site. The flaw represents a business logic and broken access control issue in the parcel-locker update handler, exposing integrity of order fulfillment without requiring authentication or user interaction.
Critical Impact
Unauthenticated attackers can redirect shipments from any pending or processing WooCommerce order to an attacker-chosen parcel locker, enabling theft of merchandise at scale.
Affected Products
- InPost PL WordPress plugin versions prior to 1.9.1
- WooCommerce stores using InPost PL for parcel-locker shipping in Poland
- Any pending or processing WooCommerce orders managed by the vulnerable plugin
Discovery Timeline
- 2026-06-25 - CVE-2026-9702 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-9702
Vulnerability Analysis
The InPost PL plugin exposes a request handler that updates the parcel-locker destination tied to a WooCommerce order. The handler accepts requests without verifying the requester's identity or relationship to the targeted order. No nonce check, capability check, or ownership validation gates the update path. An attacker who knows or enumerates an order identifier can submit a crafted request changing the destination locker to one they control.
The vulnerability falls under broken access control and missing authorization [CWE-862]. It affects orders in pending or processing status, the window during which fulfillment information is still mutable. The attack vector is the network, complexity is low, and no privileges or user interaction are required.
Root Cause
The parcel-locker update endpoint omits two essential controls: a CSRF token verification via wp_verify_nonce() and an authorization check binding the request to the order's customer. Without these, any caller can supply an arbitrary order ID and target locker, and the plugin will persist the change to order metadata.
Attack Vector
An attacker sends an unauthenticated HTTP request to the vulnerable plugin endpoint, supplying a target order identifier and a new parcel-locker point ID. The plugin updates the WooCommerce order shipping metadata. When the merchant ships the order, the package routes to the attacker's chosen locker rather than the buyer's. The attacker can iterate across order IDs to redirect multiple shipments before detection.
No verified proof-of-concept code is published. See the WPScan Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-9702
Indicators of Compromise
- Unexpected changes to _inpost_* or parcel-locker-related order meta fields on WooCommerce orders in pending or processing status
- HTTP POST requests to InPost PL plugin AJAX or REST endpoints from unauthenticated sessions or unfamiliar IP addresses
- Customer complaints about packages being delivered to lockers they did not select
- Shipping label destinations that differ from the buyer's original checkout selection
Detection Strategies
- Audit the WooCommerce wp_postmeta table for order destination changes occurring after the order was placed and correlate with web server access logs
- Review web access logs for requests targeting InPost PL plugin endpoints that lack an authenticated session cookie
- Enable WooCommerce order activity logging to capture every modification of shipping metadata with source IP and user context
Monitoring Recommendations
- Alert on bulk or sequential order-meta updates originating from a single IP address
- Monitor for parcel-locker destination changes that occur outside the normal customer checkout flow
- Forward WordPress and WooCommerce audit logs to a centralized SIEM and apply correlation rules for unauthenticated mutation attempts
How to Mitigate CVE-2026-9702
Immediate Actions Required
- Update the InPost PL WordPress plugin to version 1.9.1 or later on all WooCommerce sites
- Review all pending and processing orders for unauthorized parcel-locker destination changes since the plugin was installed
- Contact affected customers to confirm intended delivery destinations before shipping packages
- Temporarily disable the InPost PL plugin if patching cannot be performed immediately
Patch Information
The vendor addressed the flaw in InPost PL version 1.9.1, which adds authorization and request-origin verification to the parcel-locker update handler. Administrators should apply the update through the WordPress plugin dashboard or via WP-CLI. Refer to the WPScan Vulnerability Report for advisory details.
Workarounds
- Deactivate the InPost PL plugin until the patched version is deployed
- Restrict access to plugin AJAX and REST endpoints at the web application firewall layer for unauthenticated requests
- Manually verify shipping destinations against the original checkout record before dispatching any package
- Implement a checkout-to-fulfillment reconciliation report comparing the buyer's original locker selection with current order metadata
# Update the plugin via WP-CLI
wp plugin update inpost-pl --version=1.9.1
# Verify installed version
wp plugin get inpost-pl --field=version
# If patching is delayed, deactivate the plugin
wp plugin deactivate inpost-pl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

