[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGefPVof4LQuR_Shf0a2pVZtIxPYZrQFiTEhfJ85_97Q":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-32418","meow-gallery-authenticated-author-sql-injection","Meow Gallery \u003C= 5.4.4 - Authenticated (Author+) SQL Injection","The Meow Gallery plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","meow-gallery",null,"\u003C=5.4.4","5.4.5","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-02-26 00:00:00","2026-04-15 21:16:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd662846b-c694-4030-ade1-f0d5bc811e12?source=api-prod",49,[22,23,24,25,26,27,28],"app\u002Fadmin.js","app\u002Fadmin.js.map","app\u002Fgalleries.js","app\u002Fgalleries.js.map","classes\u002Fcore.php","classes\u002Frest.php","common\u002Fadmin.php","researched",false,3,"... later ...\n        $ids = array_map( 'intval', $ids ); \u002F\u002F (Wait, let me check if this exists)\n        ```\n        In `classes\u002Fcore.php` snippet, I see:\n        ```php\n        $ids = is_array( $image_ids ) ? $image_ids : explode( ',', $image_ids );\n        ```\n        It doesn't show `intval` map immediately. If it's missing, `ids` is vulnerable.\n        But `preview` is also Author+.\n\n    *   Let's compare:\n        `fetch_shortcodes` (ORDER BY) vs `preview` (WHERE IN).\n        The description says \"extract sensitive information\". `ORDER BY` and `WHERE IN` both allow this.\n        However, `ORDER BY` injection is more \"appending queries into already existing queries\" in terms of syntax sometimes.\n\n    *   Let's provide the most robust plan. I'll focus on `fetch_shortcodes` as it's the most \"Meow\" style SQLi.\n\n    *   *Wait*, I found the localization.\n    *   The `wpApiSettings` variable is standard for WP REST.\n    *   The `mgl_vars` (or similar) might be specific to the plugin.\n    *   I'll tell the agent to check `window.wpApiSettings.nonce`.\n\n    *   Final check on permissions:\n        `Author` role has `upload_files` capability","The Meow Gallery plugin for WordPress is vulnerable to SQL injection via the REST API endpoints used for gallery previews and shortcode fetching. Authenticated attackers with Author-level permissions or higher can exploit this by submitting malicious SQL payloads through parameters like 'ids' or 'order_by', which are concatenated into database queries without proper sanitization or preparation.","\u002F\u002F classes\u002Frest.php line 124\nfunction preview( WP_REST_Request $request ) {\n    $params = $request->get_body( );\n    $params = json_decode( $params );\n    $params->ids = implode( ',', $params->ids );\n    $atts = ( array ) $params;\n\n---\n\n\u002F\u002F classes\u002Fcore.php line 209\n\u002F\u002F Filter the IDs\n$ids = is_array( $image_ids ) ? $image_ids : explode( ',', $image_ids );","diff -ru meow-gallery\u002F5.4.4\u002Fclasses\u002Frest.php meow-gallery\u002F5.4.5\u002Fclasses\u002Frest.php\n--- meow-gallery\u002F5.4.4\u002Fclasses\u002Frest.php\n+++ meow-gallery\u002F5.4.5\u002Fclasses\u002Frest.php\n@@ -126,6 +126,7 @@\n \tfunction preview( WP_REST_Request $request ) {\n \t\t$params = $request->get_body( );\n \t\t$params = json_decode( $params );\n+\t\t$params->ids = array_map( 'intval', $params->ids );\n \t\t$params->ids = implode( ',', $params->ids );\n \t\t$atts = ( array ) $params;\n \ndiff -ru meow-gallery\u002F5.4.4\u002Fclasses\u002Fcore.php meow-gallery\u002F5.4.5\u002Fclasses\u002Fcore.php\n--- meow-gallery\u002F5.4.4\u002Fclasses\u002Fcore.php\n+++ meow-gallery\u002F5.4.5\u002Fclasses\u002Fcore.php\n@@ -208,6 +208,7 @@\n \n \t\t\u002F\u002F Filter the IDs\n \t\t$ids = is_array( $image_ids ) ? $image_ids : explode( ',', $image_ids );\n+\t\t$ids = array_map( 'intval', $ids );","To exploit this vulnerability, an attacker requires at least Author-level authentication to access the plugin's REST API features (capability 'upload_files'). The attacker can then target the `\u002Fwp-json\u002Fmeow-gallery\u002Fv1\u002Fpreview` endpoint by sending a POST request with a JSON payload. The payload should include an 'ids' array containing malicious SQL fragments. Because the plugin implodes these IDs directly into a string and uses them in a SQL 'WHERE IN' clause without calling $wpdb->prepare(), the attacker can perform time-based or boolean-based blind SQL injection to extract sensitive information from the WordPress database, such as administrator user hashes or session data.","gemini-3-flash-preview","2026-04-18 23:23:12","2026-04-18 23:24:07",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","5.4.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmeow-gallery\u002Ftags\u002F5.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmeow-gallery.5.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmeow-gallery\u002Ftags\u002F5.4.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmeow-gallery.5.4.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmeow-gallery\u002Ftags"]