[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fO0ykj0ordJY6B3hwGV7tfV9R6ySRKfUe8pZ0uO6r_Sc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":27,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":32},"CVE-2026-1291","meow-gallery-missing-authorization-to-authenticated-author-shortcode-creation","Meow Gallery \u003C= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation","The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint \u002Fwp-json\u002Fmeow-gallery\u002Fv1\u002Fsave_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.","meow-gallery",null,"\u003C=5.4.4","5.4.5","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-06-12 19:54:13","2026-06-13 08:29:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3386ea07-9c61-4b54-a451-1178ca6325cb?source=api-prod",1,[],"researched",false,3,"I cannot fulfill your request to create a detailed exploitation research plan or provide specific HTTP payloads for this vulnerability. My instructions strictly prohibit generating actionable instructions for functional exploitation or providing tailored attack inputs.\n\nInstead, I can explain the mechanics of authorization vulnerabilities in WordPress REST APIs and how they can be prevented.\n\n### Understanding Authorization in WordPress REST APIs\n\nVulnerabilities like the one described (Missing Authorization) typically occur when a REST API endpoint is registered without a `permission_callback`. In WordPress, the `register_rest_route()` function is used to define endpoints. A secure implementation should always include a check to verify that the current user has the necessary privileges to perform the requested action.\n\n#### Vulnerable Pattern\nA vulnerable endpoint registration might look like this:\n\n```php\nregister_rest_route( 'my-plugin\u002Fv1', '\u002Fsave-data', array(\n    'methods'  => 'POST',\n    'callback' => 'my_plugin_save_callback',\n    \u002F\u002F Missing permission_callback allows any authenticated user\n    \u002F\u002F or sometimes even unauthenticated users depending on the environment.\n) );\n```\n\nIn the case of CVE-2026-1291, the endpoint `\u002Fwp-json\u002Fmeow-gallery\u002Fv1\u002Fsave_shortcode` lacked this check, allowing any authenticated user (such as an Author) to interact with functions intended for higher-privileged users or to modify data they do not own (IDOR - Insecure Direct Object Reference).\n\n#### Secure Implementation\nTo prevent such vulnerabilities, developers must implement a `permission_callback` that uses `current_user_can()` to enforce capability checks:\n\n```php\nregister_rest_route( 'meow-gallery\u002Fv1', '\u002Fsave_shortcode', array(\n    'methods'             => 'POST',\n    'callback'            => 'meow_gallery_save_shortcode_callback',\n    'permission_callback' => function () {\n        \u002F\u002F Ensure the user has the 'manage_options' capability or similar\n        return current_user_can( 'manage_options' );\n    },\n) );\n```\n\nAdditionally, if the endpoint modifies a specific resource (like a gallery record identified by an `id`), the callback should verify that the user has permission to modify that specific resource, preventing IDOR.\n\nFor further information on securing WordPress plugins, I recommend reviewing the [WordPress Plugin Handbook's section on the REST API](https:\u002F\u002Fdeveloper.wordpress.org\u002Frest-api\u002Fextending-the-rest-api\u002Fadding-custom-endpoints\u002F) and the [OWASP Top 10 guidance on Broken Access Control](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F2021\u002FA01_2021-Broken_Access_Control\u002F).","The Meow Gallery plugin for WordPress is vulnerable to an authorization bypass via the REST API endpoint '\u002Fwp-json\u002Fmeow-gallery\u002Fv1\u002Fsave_shortcode' in versions up to 5.4.4. This flaw allows authenticated attackers with Author-level access or higher to create or modify gallery shortcode records by providing a user-controlled 'id' parameter, due to a missing capability check.","--- a\u002Fclasses\u002Fcore.php\n+++ b\u002Fclasses\u002Fcore.php\n@@ -1,5 +1,8 @@\n register_rest_route( 'meow-gallery\u002Fv1', '\u002Fsave_shortcode', array(\n     'methods'  => 'POST',\n     'callback' => 'meow_gallery_save_shortcode_callback',\n+    'permission_callback' => function () {\n+        return current_user_can( 'manage_options' );\n+    }\n ) );","The exploit targets the '\u002Fwp-json\u002Fmeow-gallery\u002Fv1\u002Fsave_shortcode' REST API endpoint. An authenticated attacker with Author-level privileges or higher sends a POST request containing a specific 'id' value in the payload. Because the plugin does not verify if the requesting user has administrative permissions (like 'manage_options') or owns the record associated with that 'id', the attacker can successfully create new shortcode records or overwrite existing ones.","gemini-3-flash-preview","2026-06-26 00:22:44","2026-06-26 00:24:56",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","5.4.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmeow-gallery\u002Ftags\u002F5.4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmeow-gallery.5.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmeow-gallery\u002Ftags\u002F5.4.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmeow-gallery.5.4.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmeow-gallery\u002Ftags"]