External risk intelligence

InPost Gallery Unauthenticated SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-39574

An unauthenticated SQL injection vulnerability exists in the InPost Gallery plugin, allowing attackers to execute arbitrary SQL commands and potentially access sensitive data. This is a critical issue for websites using the plugin, as it could lead to unauthorized data access or service disruption. Confirmation of its

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-39574

The vulnerability exists in a WordPress plugin. WordPress plugins are typically used to power public-facing websites, making the vulnerable component directly reachable by internet users via standard web requests.

PCI scan relevance

PCI Relevance for CVE-2026-39574

Yes

CVE-2026-39574 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This SQL injection vulnerability in InPost Gallery can lead to a scan failure due to its critical nature and potential impact on data integrity.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in the InPost Gallery, a WordPress plugin, that allows for unauthenticated SQL injection. The issue enables attackers to potentially access or manipulate backend data without needing any credentials. The main concern is to confirm if this plugin is in use and assess the potential exposure.

  • Allows unauthorized data access or changes.
  • Critical vulnerability in a common website component.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending specially crafted input over the network. This input targets the InPost Gallery feature, which is exposed to the internet. Successful exploitation could lead to unauthorized access to sensitive data or disruption of service.

  • No authentication required.
  • SQL injection in gallery feature.
  • Unauthorized data access or disruption.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated SQL injection vulnerability in the InPost Gallery plugin could allow an attacker to execute arbitrary SQL commands. This could potentially expose sensitive database information when the plugin is in use on a publicly accessible website.

  • Database information at risk.
  • Remote attackers can trigger it.
  • May lead to unauthorized data access.

Operational Fix

Recommended remediation, mitigation, and detection steps

Given this unauthenticated SQL injection vulnerability in the InPost Gallery plugin, application owners and the platform team are likely responsible for addressing it. The first practical step is to identify all instances of the affected plugin, determine their exposure to the internet, and confirm their business criticality to prioritize remediation efforts.

  • Ownership: Application owners and platform teams.
  • Verify first: Plugin presence and external reachability.
  • Action: Plan remediation based on risk.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the InPost Gallery plugin?

InPost Gallery is an extension for WordPress websites designed to help users create, manage, and display image galleries. Because it functions as a plugin within the WordPress ecosystem, it is often installed to enhance the visual presentation of web pages. It processes web requests to fetch and render images, which is where this specific vulnerability resides.

What does SQL injection mean for CVE-2026-39574?

This vulnerability is categorized as CWE-89, or SQL Injection. It occurs when a program fails to properly sanitize input, allowing an attacker to inject their own commands into the website's database queries. For this CVE, it means the plugin can be tricked into running unauthorized database operations, potentially exposing sensitive information or causing the system to behave in unintended ways.

How can an attacker trigger this vulnerability?

An attacker can trigger this flaw by sending specially crafted network requests to the website without needing a username or password. This means the vulnerability does not require any prior access to the site's administrative functions. Simply interacting with the public-facing features of the plugin that handle user input is sufficient to trigger the issue.

Is my website at risk from this vulnerability?

If you use InPost Gallery, your risk depends on whether the plugin is reachable from the internet. According to Halo Surface Signal, because this is a WordPress plugin used for public-facing site features, these components are typically exposed to external web traffic. If your site is accessible online, the vulnerable code is likely reachable by anyone on the internet.

What should I do if I use this plugin?

Your first step is to audit your WordPress installations to locate any instances of the InPost Gallery plugin. Once identified, evaluate the plugin's role on your site and its exposure to the internet. Work with your technical team to prioritize these assets for remediation, such as updating the plugin to a secure version if available or removing it entirely if it is not essential to your business operations.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished