Does InPost Gallery have any unpatched vulnerabilities?

No. All known vulnerabilities in InPost Gallery have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is InPost Gallery compatible with WordPress 6.9.4?

According to WordPress.org data, InPost Gallery 2.1.5 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is InPost Gallery compatible with PHP 7.2+?

InPost Gallery requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is InPost Gallery updated?

InPost Gallery was last updated on Mar 6, 2026. Frequent updates are generally a positive security signal.

What is InPost Gallery's security score?

InPost Gallery has a WP-Safety security score of 84/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

InPost Gallery Security & Risk Analysis

wordpress.org/plugins/inpost-gallery

InPost Gallery - photo and image gallery for WordPress

800 active installs v2.1.5 PHP 7.2+ WP 3.5.0+ Updated Mar 6, 2026

albumgalleryimagephotophoto-gallery

B · Generally Safe

CVEs total7

Unpatched0

Last CVESep 3, 2025

Plugin page Download

Safety Verdict

Is InPost Gallery Safe to Use in 2026?

Mostly Safe

Score 84/100

InPost Gallery is generally safe to use. 7 past CVEs were resolved. Keep it updated.

7 known CVEsLast CVE: Sep 3, 2025Updated 28d ago

Risk Assessment

The "inpost-gallery" v2.1.5 plugin exhibits a concerning security posture despite some positive indicators. While it demonstrates good practices in SQL query preparation and output escaping, the significant number of unprotected AJAX handlers presents a substantial attack surface. The presence of 4 out of 5 AJAX handlers lacking authentication checks means that unauthenticated users could potentially trigger sensitive actions or access data within the plugin. Furthermore, the plugin's history of 7 known CVEs, including critical and high-severity vulnerabilities like Code Injection, PHP Remote File Inclusion, and Cross-Site Scripting, is a major red flag. The fact that the last vulnerability was reported in 2025 suggests a recurring pattern of insecure coding practices that have led to serious security flaws in the past, even if none are currently unpatched. This history strongly indicates a need for thorough auditing and remediation of past issues before relying on this plugin.

Key Concerns

High number of unprotected AJAX handlers
High historical critical vulnerability count
Historical high severity vulnerability count
Historical medium severity vulnerability count
Past vulnerabilities include Code Injection
Past vulnerabilities include PHP Remote File Inclusion
Past vulnerabilities include Cross-Site Scripting
Past vulnerabilities include CSRF

Vulnerabilities

InPost Gallery Security Vulnerabilities

CVEs by Year

2 CVEs in 2016

2016

1 CVE in 2022

2022

1 CVE in 2023

2023

1 CVE in 2024

2024

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

7 total CVEs

CVE-2025-57889high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

InPost Gallery <= 2.1.4.5 - Authenticated (Subscriber+) Local File Inclusion

Sep 3, 2025 Patched in 2.1.4.6 (9d)

CVE-2025-26903medium · 4.3Cross-Site Request Forgery (CSRF)

InPost Gallery <= 2.1.4.3 - Cross-Site Request Forgery

Apr 11, 2025 Patched in 2.1.4.4 (5d)

CVE-2024-11002medium · 6.3Improper Control of Generation of Code ('Code Injection')

InPost Gallery <= 2.1.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via inpost_gallery_get_shortcode_template

Nov 25, 2024 Patched in 2.1.4.3 (1d)

CVE-2023-28666medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

InPost Gallery <= 2.1.4.1 - Reflected Cross-Site Scripting via 'imgurl'

Mar 20, 2023 Patched in 2.1.4.2 (309d)

CVE-2022-4063critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

InPost Gallery <= 2.1.4.1 - Local File Inclusion

Nov 28, 2022 Patched in 2.1.4.1 (421d)

WF-19f737a8-21e6-49d3-95b9-24fb6e5d7af7-inpost-gallerycritical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

InPost Gallery < 2.1.2.1 - Local File Inclusion

Oct 20, 2016 Patched in 2.1.2.1 (2651d)

WF-c98c1ce9-8213-47cb-b928-3641f821a806-inpost-gallerymedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

InPost Gallery <= 2.1.2 - Cross-Site Scripting

Oct 18, 2016 Patched in 2.1.2.1 (2653d)

Code Analysis

Analyzed Mar 16, 2026

InPost Gallery Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

416 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

97% escaped430 total outputs

Attack Surface

4 unprotected

InPost Gallery Attack Surface

Entry Points5

Unprotected4

AJAX Handlers 5

authwp_ajax_inpost_gallery_get_shortcode_templateindex.php:85

authwp_ajax_add_inpost_gallery_slide_itemindex.php:86

authwp_ajax_inpost_gallery_save_settingsindex.php:87

authwp_ajax_inpost_gallery_get_galleryindex.php:89

noprivwp_ajax_inpost_gallery_get_galleryindex.php:90

WordPress Hooks 10

filterimage_resize_dimensionshelper\aq_resizer_pn.php:67

actionwp_headindex.php:77

actionwp_footerindex.php:78

actionadmin_headindex.php:79

actionadmin_menuindex.php:80

actionadmin_initindex.php:81

actionsave_postindex.php:82

filtermce_buttonsindex.php:145

filtermce_external_pluginsindex.php:146

actioninitindex.php:724

Maintenance & Trust

InPost Gallery Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 6, 2026

PHP min version7.2

Downloads70K

Community Trust

Rating80/100

Number of ratings18

Active installs800

Alternatives

InPost Gallery Alternatives

Photo Gallery – Responsive Image Galleries by Supsystic

gallery-by-supsystic

Photo Gallery helps you create clean, responsive image galleries and album galleries without wrestling with complex settings, layouts, or custom CSS.

20K 3 CVEs

Album Gallery

new-album-gallery

Create stunning photo and video albums with responsive layouts, lightbox display, and customizable hover effects.

4K 3 CVEs

Social Photo Gallery

social-photo-gallery

Social Photo Gallery allow Polaroid image gallery.

10 1 unpatched

Crisp Gallery

crisp-gallery

100

Free responsive WordPress gallery plugin where you can display images in a grid layout. Custom options included for each gallery with border or border …

0 No CVEs

Easy Album Gallery

easy-album-gallery

100

Easy Album Gallery is a powerful WordPress plugin that allows you to create stunning, professional photo galleries in minutes.

0 No CVEs

Developer Profile

InPost Gallery Developer Profile

RealMag777

12 plugins · 188K total installs

trust score

Avg Security Score

82/100

Avg Patch Time

209 days

View full developer profile

Detection Fingerprints

How We Detect InPost Gallery

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/inpost-gallery/css/admin.css/wp-content/plugins/inpost-gallery/js/admin.js/wp-content/plugins/inpost-gallery/js/wp38/admin.js

Script Paths

/wp-content/plugins/inpost-gallery/js/admin.js/wp-content/plugins/inpost-gallery/js/wp38/admin.js

Version Parameters

inpost-gallery/style.css?ver=inpost-gallery/js/admin.js?ver=inpost-gallery/js/wp38/admin.js?ver=inpost-gallery/css/admin.css?ver=

HTML / DOM Fingerprints

Data Attributes

data-inpost-gallery-shortcode-id

JS Globals

pn_ext_shortcodes_app_linkpn_ext_shortcodes_itemspn_lang_loadinginpost_is_frontinpost_gallery_post_idajaxurl+1 more

REST Endpoints

/wp-json/inpost-gallery/v1/settings

Shortcode Output

[inpost_gallery

FAQ