cbcvebase.
CVE-2022-4063
published 2022-12-19

CVE-2022-4063: The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
9.52%
94.8th percentile
The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers.

Affected

1 ranges
VendorProductVersion rangeFixed in
pluginusinpost_gallery< 2.1.4.12.1.4.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=inpost_gallery_get_gallery&popup_shortcode_key=inpost_fancy&popup_shortcode_attributes=eyJwYWdlcGF0aCI6ICJmaWxlOi8vL2V0Yy9wYXNzd2QifQ==
  • Exploit targets the AJAX action 'inpost_gallery_get_gallery' with parameter 'popup_shortcode_key=inpost_fancy' and a base64-encoded 'popup_shortcode_attributes' containing a file:// URI, indicating LFI via PHP extract() abuse. Monitor for unauthenticated GET requests to /wp-admin/admin-ajax.php with these parameters.
  • The base64 payload decodes to {"pagepath": "file:///etc/passwd"}, indicating attackers supply file:// or other wrapper URIs via the popup_shortcode_attributes parameter to force PHP file inclusion.
  • The vulnerability is unauthenticated (unauth tag, PR:N). No session or nonce is required. Any GET request to the AJAX endpoint with the malicious action and attributes should be flagged.
  • Successful exploitation returns HTTP 200 with Content-Type text/html and body matching 'root:.*:0:0:' (contents of /etc/passwd), which can be used as a response-based detection signal.
  • ·The plugin insecurely uses PHP's extract() function when rendering HTML views, meaning the attack surface is tied to how attacker-controlled variables are injected into the view scope — not a simple parameter injection. The 'pagepath' key in the base64 JSON is the specific variable name leveraged.
  • ·The PoC uses a file:// URI wrapper to read /etc/passwd, but the vulnerability may also support remote file inclusion (RFI) via http:// or other PHP stream wrappers depending on server configuration (allow_url_include).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.