Vulnerabilities and security researches forinpost-gallery inpost-gallery

Jun 07, 2024

CVE, Research URL: 5f87d0dea32454e20b92b31e958259617992907a
Home page URL: Security reports for InPost Gallery
Application: InPost Gallery
Date: Oct 20, 2016
Research Description: InPost Gallery [inpost-gallery] < 2.1.2.1 WordPress InPost Gallery plugin <= 2.1.2 - Authenticated Persistent Cross-Site (XSS) Vulnerability WordPress InPost Gallery plugin version <= 2.1.2 is vulnerable to Cross-Site (XSS) vulnerability. The values on the admin settings page are not escaped. Update the plugin.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-28666
Home page URL: Security reports for InPost Gallery
Application: InPost Gallery
Date: Mar 23, 2023
Research Description: The InPost Gallery WordPress plugin, in versions < 2.2.2, is affected by a reflected cross-site scripting vulnerability in the 'imgurl' parameter to the add_inpost_gallery_slide_item action, which can only be triggered by an authenticated user.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-4063
Home page URL: Security reports for InPost Gallery
Application: InPost Gallery
Date: Dec 19, 2022
Research Description: The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers.
Affected versions: Min -, max -.
Status: vulnerable

Nov 26, 2024

CVE, Research URL: CVE-2024-11002
Home page URL: Security reports for InPost Gallery
Application: InPost Gallery
Date: Nov 26, 2024
Research Description: The The InPost Gallery plugin for WordPress is vulnerable to arbitrary shortcode execution via the inpost_gallery_get_shortcode_template AJAX action in all versions up to, and including, 2.1.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
Affected versions: Min -, max -.
Status: vulnerable

Apr 15, 2025

CVE, Research URL: CVE-2025-26903
Home page URL: Security reports for InPost Gallery
Application: InPost Gallery
Date: -
Research Description: InPost Gallery [inpost-gallery] < 2.1.4.4 CVE-2025-26903
Affected versions: Min -, max -.
Status: vulnerable