GCVE - cpe:2.3:a:pluginus:inpost_gallery:*:*:*:*:*:wordpress:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:pluginus:inpost_gallery:*:*:*:*:*:wordpress:*:*

part: a version: * update: *

Vendor	Pluginus (`b2d4bfa9-c97b-5f60-91a9-fcfd90546f78`)
Product	Inpost Gallery (`a6d9e8b0-dd01-5c3d-8f00-f0c39d458290`)
Edition	*
Language	*
Software edition	*
Target software	wordpress
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/wp-plugins/inpost-gallery`	purl2cpe	2026-06-01 10:11:17.054484

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-11002`	vulnerable	2026-06-03 14:54:13.133044	InPost Gallery <= 2.1.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via inpost_gallery_get_shortcode_template MEDIUM (6.3) The The InPost Gallery plugin for WordPress is vulnerable to arbitrary shortcode execution via the inpost_gallery_get_shortcode_template AJAX action in all versions up to, and including, 2.1.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. Published: 2024-11-26T06:43:44.633Z Updated: 2026-04-08T16:56:26.527Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/5fbb2dcf-38b8-4ef1-bfea-bf5872cc7e37?source=cve https://plugins.trac.wordpress.org/browser/inpost-gallery/trunk/index.php#L323 https://wordpress.org/plugins/inpost-gallery/#developers https://plugins.trac.wordpress.org/changeset/3192113/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-28666`	vulnerable	2026-06-03 14:51:13.225691	Details available The InPost Gallery WordPress plugin, in versions < 2.2.2, is affected by a reflected cross-site scripting vulnerability in the 'imgurl' parameter to the add_inpost_gallery_slide_item action, which can only be triggered by an authenticated user. Published: 2023-03-22T00:00:00.000Z Updated: 2025-02-25T21:00:40.626Z Open on db.gcve.eu Reference links https://www.tenable.com/security/research/tra-2023-3	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-4063`	vulnerable	2026-06-03 14:48:35.026724	InPost Gallery < 2.1.4.1 - Unauthenticated LFI to RCE The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers. Published: 2022-12-19T13:41:37.739Z Updated: 2025-04-17T14:01:03.199Z Open on db.gcve.eu Reference links https://wpscan.com/vulnerability/6bb07ec1-f1aa-4f4b-9717-c92f651a90a7	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.