CVE-2022-4060

CRITICAL EXPLOITED NUCLEI

User Post Gallery WP <2.19 - Code Injection

Title source: llm

Exploitation Summary

CVE-2022-4060 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including im-hanzou. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a bash script that automates the checking of WordPress sites for vulnerability to CVE-2022-4060, an unauthenticated RCE flaw in the User Post Gallery plugin. It uses GNU Parallel for mass scanning and verifies the presence of the vulnerability by sending a crafted request to the target.

Description

The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.

Exploits (1)

nomisec SCANNER 8 stars

by im-hanzou · remote

https://github.com/im-hanzou/UPGer

View Code ZIP pw:eip

This repository contains a bash script that automates the checking of WordPress sites for vulnerability to CVE-2022-4060, an unauthenticated RCE flaw in the User Post Gallery plugin. It uses GNU Parallel for mass scanning and verifies the presence of the vulnerability by sending a crafted request to the target.

Classification

Scanner 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin: User Post Gallery <= 2.19

No auth needed

Prerequisites: GNU Parallel installed · List of target URLs

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress User Post Gallery <=2.19 - Remote Code Execution

CRITICALVERIFIEDby theamanrawat

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1e

Scores

CVSS v3 9.8

EPSS 0.4299

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2022-12-26

Status published

Products (1)

odude/user_post_gallery < 2.19

Published Jan 16, 2023

Tracked Since Feb 18, 2026