Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network-accessible REST endpoint, no complexity, requires Author-level authentication (PR:L), integrity-only impact limited to gallery records.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.
AnalysisAI
Meow Gallery plugin for WordPress (all versions through 5.4.4) exposes an unprotected REST API endpoint that permits any authenticated user with Author-level access or above to overwrite or create arbitrary gallery shortcode records by supplying a user-controlled id parameter. The endpoint /wp-json/meow-gallery/v1/save_shortcode performs direct database write operations without verifying ownership of the referenced record, making this a classic CWE-639 (IDOR) pattern. No public exploit or CISA KEV listing has been identified at time of analysis; however, the low attack complexity and wide availability of Author-level accounts in multi-contributor WordPress environments elevate real-world risk above what the CVSS 4.3 score alone suggests.
Technical ContextAI
The vulnerability resides in the WordPress REST API handler registered by the Meow Gallery plugin (vendor: tigroumeow, CPE: cpe:2.3:a:tigroumeow:meow_gallery:*:*:*:*:*:*:*:*). WordPress REST API endpoints accept JSON payloads over HTTPS and are accessible to authenticated users. The affected handler at /wp-json/meow-gallery/v1/save_shortcode accepts an id parameter supplied entirely by the client and passes it directly to a database update/create operation without a capability check (e.g., current_user_can()) or ownership verification. CWE-639 (Authorization Bypass Through User-Controlled Key) is the root cause: the system uses a user-supplied record identifier as the access key without confirming that the requesting principal is authorized to modify that specific record. This is structurally identical to an Insecure Direct Object Reference (IDOR). The source code is browsable at the WordPress Trac reference, and the fix is visible in changeset 3469543 which introduces the missing authorization gate.
RemediationAI
The primary fix is to upgrade Meow Gallery to version 5.4.5 or later, which introduces the missing capability check in the REST API handler as documented in WordPress Trac changeset 3469543 (https://plugins.trac.wordpress.org/changeset/3469543/meow-gallery). Site administrators should apply the update via the WordPress admin dashboard or WP-CLI (wp plugin update meow-gallery). As a compensating control for sites that cannot immediately patch, consider restricting the Author role: remove or demote untrusted Author accounts, or use a plugin such as Members or User Role Editor to strip REST API write capabilities from the Author role - note this may affect legitimate authoring workflows. Blocking the specific endpoint path /wp-json/meow-gallery/v1/save_shortcode at the WAF or web server level is a surgical workaround that disables the vulnerable operation without broader role changes, though it will prevent gallery shortcode saves via the REST API until the patch is applied. Wordfence's detailed advisory is available at https://www.wordfence.com/threat-intel/vulnerabilities/id/3386ea07-9c61-4b54-a451-1178ca6325cb?source=cve.
More in Meow Gallery
View allThe Meow Gallery WordPress plugin before 4.1.9 does not sanitise, validate or escape the ids attribute of its gallery sh
Blind SQL injection in Meow Gallery up to version 5.4.4 allows high-privileged attackers to extract sensitive data from
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36649
GHSA-vwf8-xx3v-5qw7