CVE-2022-4063

InPost Gallery < 2.1.4.1 - Unauthenticated LFI to RCE

Basic Information

CVE State: PUBLISHED
Reserved Date: November 18, 2022
Published Date: December 19, 2022
Last Updated: April 17, 2025
Vendor: Unknown
Product: InPost Gallery
Description: The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: poc
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2026-03-10 00:00:00 UTC) Source

References

https://wpscan.com/vulnerability/6bb07ec1-f1aa-4f4b-9717-c92f651a90a7

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2026-03-10 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-4063.yaml	2025-04-25 00:00:00 UTC

Timeline

CVE ID Reserved

November 18, 2022
CVE Published to Public

December 19, 2022
Detected by Nuclei

April 25, 2025
Added to KEVIntel

March 10, 2026