CVE-2024-6500: CWE-862 Missing Authorization in inspirelabs InPost for WooCommerce
The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all versions up to, and including, 1.4.0 (for InPost for WooCommerce) as well as 1.4.4 (for InPost PL). This makes it possible for unauthenticated attackers to read and delete arbitrary files on Windows servers. On Linux servers, only files within the WordPress install will be deleted, but all files can be read.
AI Analysis
Technical Summary
The InPost for WooCommerce and InPost PL plugins for WordPress suffer from a missing authorization check (CWE-862) in the 'parse_request' function in all versions up to 1.4.0 and 1.4.4 respectively. This allows unauthenticated remote attackers to read and delete arbitrary files on affected servers. The impact differs by operating system: on Windows, all files can be deleted; on Linux, deletion is restricted to the WordPress directory but reading any file is possible. The vulnerability is remotely exploitable without authentication or user interaction, resulting in high confidentiality and availability impacts. The CVSS 3.1 base score is 10. No patch or remediation details are currently available.
Potential Impact
The vulnerability allows unauthenticated attackers to read and delete arbitrary files on affected servers. On Windows servers, this includes all files, posing a severe risk to system integrity and availability. On Linux servers, attackers can delete files only within the WordPress installation but can read any file, risking sensitive data exposure. The critical CVSS score of 10 reflects the high impact on confidentiality and availability with no required privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the affected plugins and consider disabling them if possible. Monitor for updates from inspirelabs regarding patches or official mitigations. Avoid exposing the WordPress installation to untrusted networks to reduce risk.
CVE-2024-6500: CWE-862 Missing Authorization in inspirelabs InPost for WooCommerce
Description
The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all versions up to, and including, 1.4.0 (for InPost for WooCommerce) as well as 1.4.4 (for InPost PL). This makes it possible for unauthenticated attackers to read and delete arbitrary files on Windows servers. On Linux servers, only files within the WordPress install will be deleted, but all files can be read.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The InPost for WooCommerce and InPost PL plugins for WordPress suffer from a missing authorization check (CWE-862) in the 'parse_request' function in all versions up to 1.4.0 and 1.4.4 respectively. This allows unauthenticated remote attackers to read and delete arbitrary files on affected servers. The impact differs by operating system: on Windows, all files can be deleted; on Linux, deletion is restricted to the WordPress directory but reading any file is possible. The vulnerability is remotely exploitable without authentication or user interaction, resulting in high confidentiality and availability impacts. The CVSS 3.1 base score is 10. No patch or remediation details are currently available.
Potential Impact
The vulnerability allows unauthenticated attackers to read and delete arbitrary files on affected servers. On Windows servers, this includes all files, posing a severe risk to system integrity and availability. On Linux servers, attackers can delete files only within the WordPress installation but can read any file, risking sensitive data exposure. The critical CVSS score of 10 reflects the high impact on confidentiality and availability with no required privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the affected plugins and consider disabling them if possible. Monitor for updates from inspirelabs regarding patches or official mitigations. Avoid exposing the WordPress installation to untrusted networks to reduce risk.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-07-04T00:24:13.965Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c04b7ef31ef0b55f01b
Added to database: 2/25/2026, 9:39:16 PM
Last enriched: 4/9/2026, 2:56:25 PM
Last updated: 4/12/2026, 10:01:24 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.