Description
Contributor SQL Injection in Gallery <= 4.7.8 versions.
Published: 2026-06-26
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Gallery plugin for WordPress, up to version 4.7.8, contains a contributor SQL injection flaw that allows an attacker to insert malicious SQL statements through unsanitized input fields. This can enable the attacker to read, modify, or delete data stored in the plugin's database tables, potentially leading to data leakage or complete compromise of the WordPress site.

Affected Systems

BestWebSoft Gallery, a WordPress gallery plugin, is affected. All releases of the plugin with version numbers 4.7.8 and earlier are impacted. Users running any of these versions should verify their installations for the vulnerability.

Risk and Exploitability

With a CVSS score of 8.5, the flaw is considered high severity, although EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, whereby an outsider can supply crafted parameters via public web forms or URLs to activate the injection. Exploitation does not appear to require prior authentication, so it can affect any visitor to the site. The lack of mitigation information implies that the flaw can be exploited if the plugin is in use and unpatched.

Generated by OpenCVE AI on June 26, 2026 at 16:54 UTC.

Remediation

Vendor Solution

Update the WordPress Gallery Plugin to the latest available version (at least 4.7.9).

OpenCVE Recommended Actions

  • Upgrade BestWebSoft Gallery to version 4.7.9 or later.
  • If the upgrade cannot be performed immediately, disable the Gallery plugin to prevent exploitation until a patch is available.
  • As a secondary precaution, inspect any custom code that passes user input to the plugin and ensure proper input validation to mitigate similar injection risks.

Generated by OpenCVE AI on June 26, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Bestwebsoft
Bestwebsoft gallery
Wordpress
Wordpress wordpress
Vendors & Products Bestwebsoft
Bestwebsoft gallery
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Contributor SQL Injection in Gallery <= 4.7.8 versions.
Title WordPress Gallery plugin <= 4.7.8 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Bestwebsoft Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T14:53:16.363Z

Reserved: 2026-06-25T08:03:17.055Z

Link: CVE-2026-57642

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T21:00:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')