CVE-2025-57889
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-05

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RealMag777 InPost Gallery inpost-gallery allows PHP Local File Inclusion.This issue affects InPost Gallery: from n/a through <= 2.1.4.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-05
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2025-09-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-57889
EUVD
EUVD-2025-27026
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
patchstack inpost_gallery 2.1.4.5
patchstack inpost_gallery 2.1.4.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Local File Inclusion (LFI) flaw in the WordPress InPost Gallery Plugin up to version 2.1.4.5. It allows an attacker with subscriber-level privileges to include and display local files from the target website by improperly controlling the filename used in PHP include/require statements. This can expose sensitive files such as those containing database credentials, potentially leading to further compromise of the site. [1]

Impact Analysis

Exploiting this vulnerability can expose sensitive files on your website, including database credentials. This exposure can lead to a complete database takeover depending on your site's configuration. The vulnerability is highly dangerous and expected to be widely exploited, potentially resulting in significant security breaches and loss of data integrity. [1]

Detection Guidance

Detection of this Local File Inclusion vulnerability can involve monitoring for suspicious HTTP requests attempting to include local files via the InPost Gallery plugin. Since the vulnerability allows inclusion of local files through manipulated parameters, inspecting web server logs for unusual requests targeting the plugin's include or require parameters is recommended. Specific commands are not provided in the resources, but general approaches include using tools like grep to search web server logs for suspicious patterns, e.g., commands like 'grep -i "inpost-gallery" /var/log/apache2/access.log | grep ".."' to find directory traversal attempts. Additionally, using vulnerability scanners or plugin-based malware scanners may be unreliable as per the resource, so manual log inspection or professional incident response is advised. [1]

Mitigation Strategies

Immediate mitigation steps include applying the virtual patch (vPatch) provided by Patchstack to block attacks targeting this vulnerability until the official update can be applied. The most effective mitigation is to update the InPost Gallery plugin to version 2.1.4.6 or later, where the vulnerability is resolved. Users are strongly advised to update immediately to eliminate the risk. If the site is suspected to be compromised, professional incident response services should be sought, as plugin-based malware scanners may not reliably detect infections. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart