What is CVE-2022-4063?

CVE-2022-4063 is a vulnerability in Inpost Gallery, classified under CWE-22 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL'). Published 2022-12-19.

Is CVE-2022-4063 known to be exploited?

7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Inpost Gallery

CVE-2022-4063

The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers.

EPSS: 0.880 (99.5th percentile) — read the EPSS interpretation.

Affected products

Unknown Inpost Gallery — versions 0

Public proof-of-concept exploits

im-hanzou/INPGer
ARPSyndicate/cvemon
ARPSyndicate/kenzer-templates
20142995/nuclei-templates
leoambrus/CheckersNomisec
nomi-sec/PoC-in-GitHub
cyllective/CVEs

References

wpscan.com/vulnerability/6bb07ec1-f1aa-4f4b-9717-c92f651a90a7 (exploit, vdb-entry, technical-description)

Frequently asked questions

What is CVE-2022-4063?: CVE-2022-4063 is a vulnerability in Inpost Gallery, classified under CWE-22 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL'). Published 2022-12-19.
Is CVE-2022-4063 known to be exploited?: 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.