Critical severity10.0NVD Advisory· Published Aug 17, 2024· Updated Apr 15, 2026
CVE-2024-6500
CVE-2024-6500
Description
The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all versions up to, and including, 1.4.0 (for InPost for WooCommerce) as well as 1.4.4 (for InPost PL). This makes it possible for unauthenticated attackers to read and delete arbitrary files on Windows servers. On Linux servers, only files within the WordPress install will be deleted, but all files can be read.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- plugins.trac.wordpress.org/browser/inpost-for-woocommerce/trunk/src/InspireLabs/WoocommerceInpost/EasyPack_Helper.phpnvd
- plugins.trac.wordpress.org/browser/inpost-for-woocommerce/trunk/src/InspireLabs/WoocommerceInpost/EasyPack_Helper.phpnvd
- plugins.trac.wordpress.org/browser/woo-inpost/trunk/classes/class-helper.phpnvd
- plugins.trac.wordpress.org/browser/woo-inpost/trunk/classes/class-helper.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/7b57e750-71ec-4c52-999b-6c14a78c3bffnvd
News mentions
0No linked articles in our index yet.