Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-11002

The The InPost Gallery plugin for WordPress is vulnerable to arbitrary shortcode execution via the inpost_gallery_get_shortcode_template AJAX action in all versions up to, and including, 2.1.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

Published

2024-11-26T07:15:05.413

Last Modified

2025-07-09T18:47:27.657

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-94

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	pluginus	inpost_gallery	< 2.1.4.3	Yes

References

https://plugins.trac.wordpress.org/browser/inpost-gallery/trunk/index.php#L323 Product ([email protected])
https://plugins.trac.wordpress.org/changeset/3192113/ Patch ([email protected])
https://wordpress.org/plugins/inpost-gallery/#developers Product ([email protected])
https://www.wordfence.com/threat-intel/vulnerabilities/id/5fbb2dcf-38b8-4ef1-bfea-bf5872cc7e37?source=cve Third Party Advisory ([email protected])