Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network-reachable SQLi (AV:N/AC:L/PR:N/UI:N); scope changes via shared WordPress DB user (S:C); read-only injection yields C:H, I:N, and DB-load A:L.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions.
AnalysisAI
Unauthenticated SQL injection in the InPost Gallery WordPress plugin (versions 2.1.4.6 and earlier) by realmag777 allows remote attackers to inject arbitrary SQL queries without any authentication. The flaw carries a CVSS 9.3 with a scope change, meaning successful exploitation can extract sensitive database contents and impact resources beyond the vulnerable component. No public exploit identified at time of analysis, but the unauthenticated nature and the visibility of Patchstack-reported WordPress flaws make opportunistic scanning likely.
Technical ContextAI
InPost Gallery is a WordPress plugin (CPE cpe:2.3:a:realmag777:inpost_gallery) that provides image gallery functionality for WordPress sites. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input is concatenated or improperly sanitized before being passed to a database query - typical pathways in WordPress plugins include unsanitized $_GET / $_POST parameters consumed via $wpdb->query() or direct mysqli calls without using $wpdb->prepare() with placeholders. Because the CVSS scope is Changed (S:C), the injected query likely runs in a database context with privileges beyond the plugin's own logical boundary, consistent with WordPress's shared wp_ database user across all plugins and core tables (wp_users, wp_options, wp_usermeta).
RemediationAI
No vendor-released patch identified at time of analysis - the provided references cite the Patchstack advisory but no fixed version is enumerated in the input. Site operators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/inpost-gallery/vulnerability/wordpress-inpost-gallery-plugin-2-1-4-6-sql-injection-vulnerability) for any post-2.1.4.6 release and upgrade as soon as one is published. Until a fix is available, compensating controls include deactivating and removing the InPost Gallery plugin entirely (cleanest mitigation but breaks any gallery shortcodes/widgets currently embedded in posts), deploying a WAF rule (Patchstack, Wordfence, or Sucuri virtual-patch) that filters SQL meta-characters and UNION/SELECT patterns on requests reaching the plugin's endpoints (may produce false positives on legitimate admin queries), or restricting access to the plugin's AJAX/REST endpoints via web-server-level IP allowlisting where the gallery is admin-only. Generic WordPress hardening (limiting database user privileges to drop FILE and SUPER privileges) limits but does not prevent data exfiltration via SELECT-based injection.
More in Inpost Gallery
View allThe InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, a
The InPost Gallery WordPress plugin, in versions < 2.2.2, is affected by a reflected cross-site scripting vulnerability
The The InPost Gallery plugin for WordPress is vulnerable to arbitrary shortcode execution via the inpost_gallery_get_sh
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37046
GHSA-6h64-2vq4-m659