Skip to main content

Meow Gallery EUVDEUVD-2026-36649

| CVE-2026-1291 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-13 Wordfence GHSA-vwf8-xx3v-5qw7
4.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible REST endpoint, no complexity, requires Author-level authentication (PR:L), integrity-only impact limited to gallery records.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 13, 2026 - 09:45 vuln.today
CVE Published
Jun 13, 2026 - 08:29 cve.org
MEDIUM 4.3

DescriptionNVD

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.

AnalysisAI

Meow Gallery plugin for WordPress (all versions through 5.4.4) exposes an unprotected REST API endpoint that permits any authenticated user with Author-level access or above to overwrite or create arbitrary gallery shortcode records by supplying a user-controlled id parameter. The endpoint /wp-json/meow-gallery/v1/save_shortcode performs direct database write operations without verifying ownership of the referenced record, making this a classic CWE-639 (IDOR) pattern. No public exploit or CISA KEV listing has been identified at time of analysis; however, the low attack complexity and wide availability of Author-level accounts in multi-contributor WordPress environments elevate real-world risk above what the CVSS 4.3 score alone suggests.

Technical ContextAI

The vulnerability resides in the WordPress REST API handler registered by the Meow Gallery plugin (vendor: tigroumeow, CPE: cpe:2.3:a:tigroumeow:meow_gallery:*:*:*:*:*:*:*:*). WordPress REST API endpoints accept JSON payloads over HTTPS and are accessible to authenticated users. The affected handler at /wp-json/meow-gallery/v1/save_shortcode accepts an id parameter supplied entirely by the client and passes it directly to a database update/create operation without a capability check (e.g., current_user_can()) or ownership verification. CWE-639 (Authorization Bypass Through User-Controlled Key) is the root cause: the system uses a user-supplied record identifier as the access key without confirming that the requesting principal is authorized to modify that specific record. This is structurally identical to an Insecure Direct Object Reference (IDOR). The source code is browsable at the WordPress Trac reference, and the fix is visible in changeset 3469543 which introduces the missing authorization gate.

RemediationAI

The primary fix is to upgrade Meow Gallery to version 5.4.5 or later, which introduces the missing capability check in the REST API handler as documented in WordPress Trac changeset 3469543 (https://plugins.trac.wordpress.org/changeset/3469543/meow-gallery). Site administrators should apply the update via the WordPress admin dashboard or WP-CLI (wp plugin update meow-gallery). As a compensating control for sites that cannot immediately patch, consider restricting the Author role: remove or demote untrusted Author accounts, or use a plugin such as Members or User Role Editor to strip REST API write capabilities from the Author role - note this may affect legitimate authoring workflows. Blocking the specific endpoint path /wp-json/meow-gallery/v1/save_shortcode at the WAF or web server level is a surgical workaround that disables the vulnerable operation without broader role changes, though it will prevent gallery shortcode saves via the REST API until the patch is applied. Wordfence's detailed advisory is available at https://www.wordfence.com/threat-intel/vulnerabilities/id/3386ea07-9c61-4b54-a451-1178ca6325cb?source=cve.

Share

EUVD-2026-36649 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy