ByteOS Network

InPost PL

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-9702

Assigner-WPScan

View Details

Assigner-WPScan

CVSS Score-7.5||HIGH

EPSS-Not Assigned

Published-25 Jun, 2026 | 06:00

Updated-25 Jun, 2026 | 13:28

InPost PL < 1.9.1 - Unauthenticated WooCommerce Order Parcel-Locker Hijacking

The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.

Vendor-Unknown

Product-InPost PL

CWE ID-CWE-284

Improper Access Control

CVE-2024-6500

Assigner-Wordfence

View Details

Assigner-Wordfence

CVSS Score-10||CRITICAL

EPSS-0.98% / 57.76%

7 Day CHG~0.00%

Published-17 Aug, 2024 | 02:31

Updated-15 Apr, 2026 | 00:35

InPost for WooCommerce <= 1.4.0 and InPost PL <= 1.4.4 - Missing Authorization to Unauthenticated Arbitrary File Read and Delete

The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all versions up to, and including, 1.4.0 (for InPost for WooCommerce) as well as 1.4.4 (for InPost PL). This makes it possible for unauthenticated attackers to read and delete arbitrary files on Windows servers. On Linux servers, only files within the WordPress install will be deleted, but all files can be read.

Vendor-inspirelabs inspirelabs

Product-InPost for WooCommerce InPost PL inpost_pl inpost_for_woocommerce

CWE ID-CWE-862

Missing Authorization