CVE-2024-11002
📋 TL;DR
The InPost Gallery WordPress plugin allows authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes via an AJAX endpoint. This vulnerability exists because the plugin doesn't properly validate user input before passing it to WordPress's do_shortcode function. All WordPress sites using InPost Gallery versions up to 2.1.4.2 are affected.
💻 Affected Systems
- InPost Gallery WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute malicious shortcodes that perform actions like creating administrator accounts, injecting backdoors, stealing data, or taking full control of the WordPress site.
Likely Case
Attackers will execute shortcodes to create backdoors, escalate privileges, or inject malicious content into the site.
If Mitigated
With proper access controls and monitoring, impact is limited to authenticated users only, but they could still execute unauthorized shortcodes.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Public proof-of-concept code is available in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.4.3
Vendor Advisory: https://wordpress.org/plugins/inpost-gallery/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find InPost Gallery and click 'Update Now'. 4. Verify version is 2.1.4.3 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allAdd code to WordPress theme's functions.php to remove the vulnerable AJAX action handler
add_action('init', function() { remove_action('wp_ajax_inpost_gallery_get_shortcode_template', 'inpost_gallery_get_shortcode_template'); remove_action('wp_ajax_nopriv_inpost_gallery_get_shortcode_template', 'inpost_gallery_get_shortcode_template'); });
Disable plugin temporarily
linuxDeactivate InPost Gallery plugin until patched
wp plugin deactivate inpost-gallery
🧯 If You Can't Patch
- Restrict user registration and review existing user accounts for suspicious activity
- Implement web application firewall rules to block requests to wp-admin/admin-ajax.php with suspicious parameters
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → InPost Gallery version. If version is 2.1.4.2 or lower, you are vulnerable.Check Version:
wp plugin list --name=inpost-gallery --field=versionVerify Fix Applied:
After updating, verify InPost Gallery version shows 2.1.4.3 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=inpost_gallery_get_shortcode_template containing unusual shortcode parameters
- Multiple failed login attempts followed by successful login and AJAX requests
Network Indicators:
- Unusual traffic patterns to wp-admin/admin-ajax.php from single IP addresses
- POST requests with shortcode parameters from authenticated users
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND post_data CONTAINS "inpost_gallery_get_shortcode_template" AND post_data CONTAINS "shortcode="