Compliance Impact

The vulnerability allows unauthenticated attackers to redirect the shipping destination of any pending or processing order without verification, which could lead to unauthorized access or interception of customer orders.

Such unauthorized manipulation of order data may result in violations of data protection and privacy regulations like GDPR, as it compromises the integrity and confidentiality of customer information and order fulfillment.

However, the provided information does not explicitly mention compliance impacts with specific standards such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

The vulnerability CVE-2026-9702 affects the InPost PL WordPress plugin for WooCommerce versions prior to 1.9.1. It allows unauthenticated attackers to change the parcel-locker destination of any pending or processing order without verifying that the request comes from the legitimate buyer.

Attackers can exploit this by harvesting a nonce from the checkout page and sending a malicious POST request to update the locker code for any order. This lets them silently redirect the shipping destination to a locker of their choice, bypassing the legitimate buyer's control.

The root cause is improper access control, which enables cross-customer attacks using the same nonce. The issue was fixed in version 1.9.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized redirection of shipments for pending or processing orders on a WooCommerce site using the affected plugin.

Attackers can hijack orders by changing the parcel-locker destination without the buyer's knowledge or consent, potentially causing loss or theft of goods.

This undermines the integrity of order fulfillment and can damage customer trust and business reputation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests that attempt to update the parcel-locker destination for WooCommerce orders without proper authentication.

Specifically, look for POST requests targeting the endpoint responsible for updating the locker code, which include a nonce harvested from the checkout page.

Commands to detect such activity might include using network monitoring tools or web server logs to filter for these POST requests.

• Use grep or similar tools on web server logs to find POST requests containing parameters related to parcel-locker updates.
• Example command: grep -i 'update_locker_code' /var/log/apache2/access.log
• Use tools like Wireshark or tcpdump to capture HTTP POST traffic and analyze for unauthorized locker update attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the InPost PL WordPress plugin to version 1.9.1 or later, where the vulnerability has been fixed.

Until the update can be applied, restrict access to the order update endpoints and monitor for suspicious activity.

Additionally, consider implementing web application firewall (WAF) rules to block unauthorized POST requests attempting to change parcel-locker destinations.

Useful 0 Not Useful 0