How is CVE-2026-39574 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress installation. Authentication (not-required): No account or credentials of any kind are needed; the injection is reachable by any unauthenticated HTTP request. Victim interaction (not-required): The attacker does not need any victim to click a link or take any action; the exploit is fully self-contained in the attacker's request. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race windows, or environmental factors to succeed.

What is the impact of CVE-2026-39574?

Reads arbitrary rows from the WordPress database, including user credentials (hashed passwords), email addresses, session tokens, and any plugin or site configuration data stored in the database. Does not allow an attacker to write or modify database rows based on the integrity impact rating of None in the CVSS vector. Causes limited disruption to availability, consistent with the Low availability impact rating, such as degraded query performance or partial denial of service under sustained exploitation. Because the scope token is Changed (S:C), impact can extend beyond the WordPress application itself to other components sharing the same database server, such as other sites on a shared MySQL instance.

Back to search

CRITICALCVE-2026-39574Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-39574: WordPress InPost Gallery plugin <= 2.1.4.6 - SQL Injection vulnerability

Q: What is CVE-2026-39574?

This is an unauthenticated SQL injection vulnerability in the InPost Gallery WordPress plugin, affecting all versions up to and including 2.1.4.6. The flaw is reachable over the network with no authentication required and no user interaction needed, meaning any remote party can send a crafted HTTP request to a vulnerable WordPress installation. Successful exploitation allows an attacker to read data from the underlying database and cause limited disruption to availability. HarborGuard is tracking the advisory for patch availability, as no fix version has been published.

Q: Is CVE-2026-39574 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released by the maintainer. In the meantime, customers with auto-remediation enabled will receive advisory notifications and can apply compensating controls through HarborGuard's policy engine.

Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an unauthenticated SQL injection vulnerability in the InPost Gallery WordPress plugin, affecting all versions up to and including 2.1.4.6. The flaw is reachable over the network with no authentication required and no user interaction needed, meaning any remote party can send a crafted HTTP request to a vulnerable WordPress installation. Successful exploitation allows an attacker to read data from the underlying database and cause limited disruption to availability. HarborGuard is tracking the advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images containing the InPost Gallery plugin, including custom-built WordPress images. Any image found to carry an affected version of the plugin is flagged immediately in the customer's scan results.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.3 (Critical) and weighting it further against each environment's compliance policy to determine urgency routing. Findings meeting critical thresholds are routable to the appropriate team inbox within each customer organization based on their configured notification rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released by the maintainer. In the meantime, customers with auto-remediation enabled will receive advisory notifications and can apply compensating controls through HarborGuard's policy engine.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress installation.
AuthenticationNot required
No account or credentials of any kind are needed; the injection is reachable by any unauthenticated HTTP request.
Victim interactionNot required
The attacker does not need any victim to click a link or take any action; the exploit is fully self-contained in the attacker's request.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race windows, or environmental factors to succeed.

Blast Radius

Reads arbitrary rows from the WordPress database, including user credentials (hashed passwords), email addresses, session tokens, and any plugin or site configuration data stored in the database.
Does not allow an attacker to write or modify database rows based on the integrity impact rating of None in the CVSS vector.
Causes limited disruption to availability, consistent with the Low availability impact rating, such as degraded query performance or partial denial of service under sustained exploitation.
Because the scope token is Changed (S:C), impact can extend beyond the WordPress application itself to other components sharing the same database server, such as other sites on a shared MySQL instance.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical SQL injection vulnerability is active across all customer environments, matching against any image that includes InPost Gallery version 2.1.4.6 or earlier. Because no upstream patch exists as of the CVE publication date, HarborGuard monitors the Patchstack advisory and the plugin's release channel on every ingest cycle. The moment a fix version is published, a patched-image rebuild will become available automatically, and customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads. While no patch is available, customers can apply compensating controls through HarborGuard's policy engine: network-policy rules that restrict public HTTP access to WordPress installations carrying this plugin, egress filtering on the database tier to limit lateral exposure, and feature-flag or virtual-patching rules that block requests matching known SQL injection patterns targeting the InPost Gallery plugin endpoint. Where compliance policy requires escalation of Critical findings without an available fix, HarborGuard routes these to the configured security inbox for manual review and prioritization.

See how HarborGuard automates this

Affected packages

RealMag777 / InPost Gallery
≤ 2.1.4.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified