InPost Gallery < 2.1.4.6 – Authenticated (Subscriber+) Local File Inclusion | CVE 2025-57889 | Plugin Vulnerabilities

Description

The InPost Gallery plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.1.4.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Affects Plugins

Fixed in 2.1.4.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c10a5583-5273-4b94-8e2e-e3d24ea941b0

Classification

Type

RFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

LVT-tholv2k

Verified

No

WPVDB ID

5ba732ff-4a7a-4c6e-9530-2da471b05cdb

Timeline

Publicly Published

2025-09-03 (about 7 months ago)

Added

2025-09-11 (about 6 months ago)

Last Updated

2025-09-11 (about 6 months ago)

Other

Published

Title

Published

2024-06-28

Title

PowerPack Lite for Beaver Builder < 1.3.0.4 - Authenticated (Editor+) Local File Inclusion

Published

2025-07-01

Title

WP Travel Gutenberg Blocks < 3.9.1 - Unauthenticated Local File Inclusion

Published

2026-01-08

Title

Amuli <= 2.3.0 - Unauthenticated Local File Inclusion

Published

2026-03-23

Title

NaturaLife Extensions < 2.2 - Unauthenticated Local File Inclusion

Published

2025-12-15

Title

ekommart < 4.3.1 - Authenticated (Contributor+) Local File Inclusion