CVE-2022-4063
published 2022-12-19CVE-2022-4063: The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
9.52%
94.8th percentile
The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pluginus | inpost_gallery | < 2.1.4.1 | 2.1.4.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php?action=inpost_gallery_get_gallery&popup_shortcode_key=inpost_fancy&popup_shortcode_attributes=eyJwYWdlcGF0aCI6ICJmaWxlOi8vL2V0Yy9wYXNzd2QifQ==↗
- →Exploit targets the AJAX action 'inpost_gallery_get_gallery' with parameter 'popup_shortcode_key=inpost_fancy' and a base64-encoded 'popup_shortcode_attributes' containing a file:// URI, indicating LFI via PHP extract() abuse. Monitor for unauthenticated GET requests to /wp-admin/admin-ajax.php with these parameters. ↗
- →The base64 payload decodes to {"pagepath": "file:///etc/passwd"}, indicating attackers supply file:// or other wrapper URIs via the popup_shortcode_attributes parameter to force PHP file inclusion. ↗
- →The vulnerability is unauthenticated (unauth tag, PR:N). No session or nonce is required. Any GET request to the AJAX endpoint with the malicious action and attributes should be flagged. ↗
- →Successful exploitation returns HTTP 200 with Content-Type text/html and body matching 'root:.*:0:0:' (contents of /etc/passwd), which can be used as a response-based detection signal. ↗
- ·The plugin insecurely uses PHP's extract() function when rendering HTML views, meaning the attack surface is tied to how attacker-controlled variables are injected into the view scope — not a simple parameter injection. The 'pagepath' key in the base64 JSON is the specific variable name leveraged. ↗
- ·The PoC uses a file:// URI wrapper to read /etc/passwd, but the vulnerability may also support remote file inclusion (RFI) via http:// or other PHP stream wrappers depending on server configuration (allow_url_include). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5rmh-7p7v-fmfc: The InPost Gallery WordPress plugin before 2
ghsa_unreviewed·2022-12-19
CVE-2022-4063 [CRITICAL] CWE-22 GHSA-5rmh-7p7v-fmfc: The InPost Gallery WordPress plugin before 2
The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers.
VulnCheck
pluginus inpost_gallery Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2022·CVSS 9.8
CVE-2022-4063 [CRITICAL] pluginus inpost_gallery Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
pluginus inpost_gallery Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers.
Affected: pluginus inpost_gallery
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2022-4063; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-03&host_type=src&vulnerabi
No detection rules found.
Nuclei
WordPress InPost Gallery <2.1.4.1 - Local File Inclusion
nuclei·CVSS 9.8
CVE-2022-4063 [CRITICAL] WordPress InPost Gallery <2.1.4.1 - Local File Inclusion
WordPress InPost Gallery <2.1.4.1 - Local File Inclusion
WordPress InPost Gallery plugin before 2.1.4.1 is susceptible to local file inclusion. The plugin insecurely uses PHP's extract() function when rendering HTML views, which can allow attackers to force inclusion of malicious files and URLs. This, in turn, can enable them to execute code remotely on servers.
Template:
id: CVE-2022-4063
info:
name: WordPress InPost Gallery <2.1.4.1 - Local File Inclusion
author: theamanrawat
severity: critical
description: |
WordPress InPost Gallery plugin before 2.1.4.1 is susceptible to local file inclusion. The plugin insecurely uses PHP's extract() function when rendering HTML views, which can allow attackers to force inclusion of malicious files and URLs. This, in turn, can enable them to execu
No writeups or analysis indexed.
2022-12-19
Published
Exploited in the wild