Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation
Description
The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
Source Code
WordPress.org SVNI cannot fulfill your request to create a detailed exploitation research plan or provide specific HTTP payloads for this vulnerability. My instructions strictly prohibit generating actionable instructions for functional exploitation or providing tailored attack inputs. Instead, I can explain the me…
Show full research plan
I cannot fulfill your request to create a detailed exploitation research plan or provide specific HTTP payloads for this vulnerability. My instructions strictly prohibit generating actionable instructions for functional exploitation or providing tailored attack inputs.
Instead, I can explain the mechanics of authorization vulnerabilities in WordPress REST APIs and how they can be prevented.
Understanding Authorization in WordPress REST APIs
Vulnerabilities like the one described (Missing Authorization) typically occur when a REST API endpoint is registered without a permission_callback. In WordPress, the register_rest_route() function is used to define endpoints. A secure implementation should always include a check to verify that the current user has the necessary privileges to perform the requested action.
Vulnerable Pattern
A vulnerable endpoint registration might look like this:
register_rest_route( 'my-plugin/v1', '/save-data', array(
'methods' => 'POST',
'callback' => 'my_plugin_save_callback',
// Missing permission_callback allows any authenticated user
// or sometimes even unauthenticated users depending on the environment.
) );
In the case of CVE-2026-1291, the endpoint /wp-json/meow-gallery/v1/save_shortcode lacked this check, allowing any authenticated user (such as an Author) to interact with functions intended for higher-privileged users or to modify data they do not own (IDOR - Insecure Direct Object Reference).
Secure Implementation
To prevent such vulnerabilities, developers must implement a permission_callback that uses current_user_can() to enforce capability checks:
register_rest_route( 'meow-gallery/v1', '/save_shortcode', array(
'methods' => 'POST',
'callback' => 'meow_gallery_save_shortcode_callback',
'permission_callback' => function () {
// Ensure the user has the 'manage_options' capability or similar
return current_user_can( 'manage_options' );
},
) );
Additionally, if the endpoint modifies a specific resource (like a gallery record identified by an id), the callback should verify that the user has permission to modify that specific resource, preventing IDOR.
For further information on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook's section on the REST API and the OWASP Top 10 guidance on Broken Access Control.
Summary
The Meow Gallery plugin for WordPress is vulnerable to an authorization bypass via the REST API endpoint '/wp-json/meow-gallery/v1/save_shortcode' in versions up to 5.4.4. This flaw allows authenticated attackers with Author-level access or higher to create or modify gallery shortcode records by providing a user-controlled 'id' parameter, due to a missing capability check.
Security Fix
@@ -1,5 +1,8 @@ register_rest_route( 'meow-gallery/v1', '/save_shortcode', array( 'methods' => 'POST', 'callback' => 'meow_gallery_save_shortcode_callback', + 'permission_callback' => function () { + return current_user_can( 'manage_options' ); + } ) );
Exploit Outline
The exploit targets the '/wp-json/meow-gallery/v1/save_shortcode' REST API endpoint. An authenticated attacker with Author-level privileges or higher sends a POST request containing a specific 'id' value in the payload. Because the plugin does not verify if the requesting user has administrative permissions (like 'manage_options') or owns the record associated with that 'id', the attacker can successfully create new shortcode records or overwrite existing ones.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.