CVE-2025-57889
BaseFortify
Publication date: 2025-09-05
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | inpost_gallery | 2.1.4.5 |
| patchstack | inpost_gallery | 2.1.4.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Local File Inclusion (LFI) flaw in the WordPress InPost Gallery Plugin up to version 2.1.4.5. It allows an attacker with subscriber-level privileges to include and display local files from the target website by improperly controlling the filename used in PHP include/require statements. This can expose sensitive files such as those containing database credentials, potentially leading to further compromise of the site. [1]
How can this vulnerability impact me? :
Exploiting this vulnerability can expose sensitive files on your website, including database credentials. This exposure can lead to a complete database takeover depending on your site's configuration. The vulnerability is highly dangerous and expected to be widely exploited, potentially resulting in significant security breaches and loss of data integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this Local File Inclusion vulnerability can involve monitoring for suspicious HTTP requests attempting to include local files via the InPost Gallery plugin. Since the vulnerability allows inclusion of local files through manipulated parameters, inspecting web server logs for unusual requests targeting the plugin's include or require parameters is recommended. Specific commands are not provided in the resources, but general approaches include using tools like grep to search web server logs for suspicious patterns, e.g., commands like 'grep -i "inpost-gallery" /var/log/apache2/access.log | grep ".."' to find directory traversal attempts. Additionally, using vulnerability scanners or plugin-based malware scanners may be unreliable as per the resource, so manual log inspection or professional incident response is advised. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the virtual patch (vPatch) provided by Patchstack to block attacks targeting this vulnerability until the official update can be applied. The most effective mitigation is to update the InPost Gallery plugin to version 2.1.4.6 or later, where the vulnerability is resolved. Users are strongly advised to update immediately to eliminate the risk. If the site is suspected to be compromised, professional incident response services should be sought, as plugin-based malware scanners may not reliably detect infections. [1]