CVE-2026-1254
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2Tags
Description
The Modula Image Gallery - Photo Grid & Video Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.13.6. This is due to the plugin not properly verifying that a user is authorized to modify specific posts before updating them via the REST API. This makes it possible for authenticated attackers, with contributor level access and above, to update the title, excerpt, and content of arbitrary posts by passing post IDs in the modulaImages field when editing a gallery.
Analysis
The Modula Image Gallery plugin for WordPress through version 2.13.6 fails to properly validate REST API permissions, allowing authenticated contributors and higher-privileged users to modify arbitrary post content by manipulating post IDs in API requests. Attackers can update titles, excerpts, and body content of posts they do not own, potentially leading to unauthorized content modification or injection attacks. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running for WordPress is vulnerable to authorization bypass in all and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today