Description
Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions.
Published: 2026-06-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated SQL injection flaw exists in the WordPress InPost Gallery plugin through versions up to 2.1.4.6. Attackers can supply malicious input in plugin parameters, enabling arbitrary SQL commands. This can result in reading or modifying any data stored in the site’s database and, if the database privileges are generous, may expose the application to additional risks.

Affected Systems

The vulnerability affects any WordPress site running the RealMag777 InPost Gallery plugin at or below version 2.1.4.6. Versions 2.1.5 and newer contain the fix and are recommended for deployment.

Risk and Exploitability

The score of 9.3 demonstrates a critical severity, while the low EPSS of less than 1% indicates few reported exploits, but the lack of inclusion in CISA’s KEV list does not remove the risk. The flaw can be triggered by any unauthenticated HTTP request, so public access is sufficient to exploit it. Given the destructive potential, organizations should treat this as a high‑risk vulnerability.

Generated by OpenCVE AI on June 16, 2026 at 20:38 UTC.

Remediation

Vendor Solution

Update the WordPress InPost Gallery Plugin to the latest available version (at least 2.1.5).

OpenCVE Recommended Actions

  • Update the InPost Gallery plugin to version 2.1.5 or newer to apply the vendor-published fix.
  • If an immediate upgrade is not possible, disable the plugin to block unauthenticated access until the update can be applied.
  • Restrict database permissions so that the WordPress application only has the minimal privileges required, limiting the damage potential of any remaining injection.
  • Perform a review of the site’s database for unexpected changes and monitor logs for suspicious activity.

Generated by OpenCVE AI on June 16, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions.
Title WordPress InPost Gallery plugin <= 2.1.4.6 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T17:10:37.918Z

Reserved: 2026-04-07T10:48:38.854Z

Link: CVE-2026-39574

cve-icon Vulnrichment

Updated: 2026-06-16T14:09:06.460Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T10:16:27.223

Modified: 2026-06-16T14:52:36.287

Link: CVE-2026-39574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:45:02Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')