InPost Plugin Fails to Verify Order Shipping Destination Changes

The InPost PL WordPress plugin vulnerability is a critical authorization bypass flaw affecting WooCommerce-powered e-commerce sites. Versions before 1.9.1 lack proper request validation when updating parcel-locker shipping destinations, allowing unauthenticated attackers to silently redirect orders to attacker-controlled locations. This vulnerability directly impacts any WooCommerce merchant using the InPost plugin—particularly businesses in Poland and Europe where InPost is prevalent. Attackers can intercept orders in pending or processing states, changing delivery addresses without customer or merchant notification, leading to order theft, inventory loss, and significant reputational damage.

While this CVE does not map to documented MITRE ATT&CK techniques in the initial submission, Casky's security skills powered by Claude AI would detect the underlying attack patterns associated with Privilege Escalation (T1078 - Use of Legitimate Credentials) and Collection (T1113 - Screen Capture) through behavioral analysis of unauthorized state changes. A practitioner would observe anomalous API requests modifying order metadata without corresponding authentication tokens, unusual shipping address changes correlating with request patterns, and gaps in audit logs for order modifications. Casky's extended reasoning would identify the missing server-side request origin validation as the critical control failure and recommend implementing CSRF tokens, nonce verification, and strict authentication checks before allowing any order modifications—standard defensive measures that map to secure coding practices within the platform's skill taxonomy.