Skip to main content

InPost Gallery EUVDEUVD-2026-37046

| CVE-2026-39574 CRITICAL
SQL Injection (CWE-89)
2026-06-16 Patchstack GHSA-6h64-2vq4-m659
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Unauthenticated network-reachable SQLi (AV:N/AC:L/PR:N/UI:N); scope changes via shared WordPress DB user (S:C); read-only injection yields C:H, I:N, and DB-load A:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 10:27 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions.

AnalysisAI

Unauthenticated SQL injection in the InPost Gallery WordPress plugin (versions 2.1.4.6 and earlier) by realmag777 allows remote attackers to inject arbitrary SQL queries without any authentication. The flaw carries a CVSS 9.3 with a scope change, meaning successful exploitation can extract sensitive database contents and impact resources beyond the vulnerable component. No public exploit identified at time of analysis, but the unauthenticated nature and the visibility of Patchstack-reported WordPress flaws make opportunistic scanning likely.

Technical ContextAI

InPost Gallery is a WordPress plugin (CPE cpe:2.3:a:realmag777:inpost_gallery) that provides image gallery functionality for WordPress sites. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input is concatenated or improperly sanitized before being passed to a database query - typical pathways in WordPress plugins include unsanitized $_GET / $_POST parameters consumed via $wpdb->query() or direct mysqli calls without using $wpdb->prepare() with placeholders. Because the CVSS scope is Changed (S:C), the injected query likely runs in a database context with privileges beyond the plugin's own logical boundary, consistent with WordPress's shared wp_ database user across all plugins and core tables (wp_users, wp_options, wp_usermeta).

RemediationAI

No vendor-released patch identified at time of analysis - the provided references cite the Patchstack advisory but no fixed version is enumerated in the input. Site operators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/inpost-gallery/vulnerability/wordpress-inpost-gallery-plugin-2-1-4-6-sql-injection-vulnerability) for any post-2.1.4.6 release and upgrade as soon as one is published. Until a fix is available, compensating controls include deactivating and removing the InPost Gallery plugin entirely (cleanest mitigation but breaks any gallery shortcodes/widgets currently embedded in posts), deploying a WAF rule (Patchstack, Wordfence, or Sucuri virtual-patch) that filters SQL meta-characters and UNION/SELECT patterns on requests reaching the plugin's endpoints (may produce false positives on legitimate admin queries), or restricting access to the plugin's AJAX/REST endpoints via web-server-level IP allowlisting where the gallery is admin-only. Generic WordPress hardening (limiting database user privileges to drop FILE and SUPER privileges) limits but does not prevent data exfiltration via SELECT-based injection.

Share

EUVD-2026-37046 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy