CVE-2026-1291

Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation

mediumAuthorization Bypass Through User-Controlled Key
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
5.4.5
Patched in
1d
Time to patch

Description

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.4.4
PublishedJune 12, 2026
Last updatedJune 13, 2026
Affected pluginmeow-gallery

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to create a detailed exploitation research plan or provide specific HTTP payloads for this vulnerability. My instructions strictly prohibit generating actionable instructions for functional exploitation or providing tailored attack inputs. Instead, I can explain the me…

Show full research plan

I cannot fulfill your request to create a detailed exploitation research plan or provide specific HTTP payloads for this vulnerability. My instructions strictly prohibit generating actionable instructions for functional exploitation or providing tailored attack inputs.

Instead, I can explain the mechanics of authorization vulnerabilities in WordPress REST APIs and how they can be prevented.

Understanding Authorization in WordPress REST APIs

Vulnerabilities like the one described (Missing Authorization) typically occur when a REST API endpoint is registered without a permission_callback. In WordPress, the register_rest_route() function is used to define endpoints. A secure implementation should always include a check to verify that the current user has the necessary privileges to perform the requested action.

Vulnerable Pattern

A vulnerable endpoint registration might look like this:

register_rest_route( 'my-plugin/v1', '/save-data', array(
    'methods'  => 'POST',
    'callback' => 'my_plugin_save_callback',
    // Missing permission_callback allows any authenticated user
    // or sometimes even unauthenticated users depending on the environment.
) );

In the case of CVE-2026-1291, the endpoint /wp-json/meow-gallery/v1/save_shortcode lacked this check, allowing any authenticated user (such as an Author) to interact with functions intended for higher-privileged users or to modify data they do not own (IDOR - Insecure Direct Object Reference).

Secure Implementation

To prevent such vulnerabilities, developers must implement a permission_callback that uses current_user_can() to enforce capability checks:

register_rest_route( 'meow-gallery/v1', '/save_shortcode', array(
    'methods'             => 'POST',
    'callback'            => 'meow_gallery_save_shortcode_callback',
    'permission_callback' => function () {
        // Ensure the user has the 'manage_options' capability or similar
        return current_user_can( 'manage_options' );
    },
) );

Additionally, if the endpoint modifies a specific resource (like a gallery record identified by an id), the callback should verify that the user has permission to modify that specific resource, preventing IDOR.

For further information on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook's section on the REST API and the OWASP Top 10 guidance on Broken Access Control.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Meow Gallery plugin for WordPress is vulnerable to an authorization bypass via the REST API endpoint '/wp-json/meow-gallery/v1/save_shortcode' in versions up to 5.4.4. This flaw allows authenticated attackers with Author-level access or higher to create or modify gallery shortcode records by providing a user-controlled 'id' parameter, due to a missing capability check.

Security Fix

--- a/classes/core.php
+++ b/classes/core.php
@@ -1,5 +1,8 @@
 register_rest_route( 'meow-gallery/v1', '/save_shortcode', array(
     'methods'  => 'POST',
     'callback' => 'meow_gallery_save_shortcode_callback',
+    'permission_callback' => function () {
+        return current_user_can( 'manage_options' );
+    }
 ) );

Exploit Outline

The exploit targets the '/wp-json/meow-gallery/v1/save_shortcode' REST API endpoint. An authenticated attacker with Author-level privileges or higher sends a POST request containing a specific 'id' value in the payload. Because the plugin does not verify if the requesting user has administrative permissions (like 'manage_options') or owns the record associated with that 'id', the attacker can successfully create new shortcode records or overwrite existing ones.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.