Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jordy Meow Meow Gallery meow-gallery allows Blind SQL Injection.This issue affects Meow Gallery: from n/a through <= 5.4.4.
AnalysisAI
Blind SQL injection in Meow Gallery up to version 5.4.4 allows high-privileged attackers to extract sensitive data from the application database through specially crafted SQL queries. An authenticated administrator with high privileges can exploit this vulnerability without user interaction to perform unauthorized database queries, potentially exposing confidential information. No patch is currently available for affected installations.
Technical ContextAI
The vulnerability affects the Meow Gallery plugin by Jordy Meow, a WordPress gallery management extension. This is a classic SQL injection vulnerability (CWE-89) where user-supplied input is improperly sanitized before being incorporated into SQL queries. The blind SQL injection variant means attackers cannot see direct query results but can infer information through application behavior differences. The vulnerability requires network access and high privileges according to the CVSS vector, suggesting it likely affects administrative or editor-level functionality within the plugin where SQL queries are constructed using unsanitized user input.
RemediationAI
Update the Meow Gallery plugin to a version newer than 5.4.4 if available, as the vulnerability affects versions up to and including 5.4.4. If an update is not yet available, consider temporarily disabling the plugin until a patch is released. As a compensating control, restrict WordPress administrative and editor access to trusted users only, implement strong authentication measures including two-factor authentication, and monitor database query logs for suspicious activity patterns that might indicate SQL injection attempts. Regular WordPress and plugin updates should be part of standard security maintenance.
More in Meow Gallery
View allThe Meow Gallery WordPress plugin before 4.1.9 does not sanitise, validate or escape the ids attribute of its gallery sh
Meow Gallery plugin for WordPress (all versions through 5.4.4) exposes an unprotected REST API endpoint that permits any
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11941