EUVD-2026-36940
GHSA-g62q-72r7-mfg9
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
WordPress Author role is a low-privileged content contributor (PR:L, not admin-level PR:H); reliable RCE depends on a usable POP gadget chain in the target stack, raising AC to High.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions.
AnalysisAI
PHP Object Injection in the Modula Image Gallery WordPress plugin (versions ≤ 2.14.18) allows authenticated authors to trigger unsafe deserialization of attacker-controlled input, potentially leading to remote code execution, data tampering, or denial of service depending on available POP gadget chains in the WordPress environment. The flaw was disclosed by Patchstack and tracked as ENISA EUVD-2026-36940; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with at least the Author role on a site running Modula Image Gallery ≤ 2.14.18 (PR:H per CVSS); the attack is delivered over the network with no user interaction (AV:N, UI:N) and low complexity (AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 7.2 (High) vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H reflects a network-reachable, low-complexity flaw with full CIA impact, but gated by PR:H (high privileges - Author or above in WordPress terms). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or registered a WordPress Author-level account (via credential reuse, phishing, or open author registration) submits a crafted request to a vulnerable Modula Image Gallery endpoint containing a serialized PHP object payload. The plugin deserializes the input via unserialize(), triggering a POP gadget chain in WordPress core or another installed plugin to achieve arbitrary file write or code execution in the web server context. … |
| Remediation | Patch available per vendor advisory - upgrade Modula Image Gallery to a release newer than 2.14.18 as published on the WordPress.org plugin repository and referenced by Patchstack at https://patchstack.com/database/wordpress/plugin/modula-best-grid-gallery/vulnerability/wordpress-modula-image-gallery-plugin-2-14-18-php-object-injection-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit WordPress installations for Modula Image Gallery plugin presence and active version. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today