Meta-box GalleryMeta <= 3.0.1 - Missing Authorization to Authenticated (Author+) Gallery Management

This plan outlines the research and exploitation strategy for CVE-2026-0687, a missing authorization vulnerability in the Meta-box GalleryMeta plugin. The vulnerability allows users with Author roles or higher to manage (create/publish) galleries, which should likely be restricted to higher-privileged roles (like Editors or Administrators).

---

1. Vulnerability Summary

The Meta-box GalleryMeta plugin registers a custom post type (CPT) called mb_gallery. The vulnerability arises because the plugin fails to properly restrict the capabilities associated with this CPT. Specifically, it likely omits the capability_type and capabilities parameters in the register_post_type call, or fails to define a custom permission schema. This results in the CPT defaulting to standard post capabilities. Since users with the Author role have the publish_posts capability, they are inadvertently granted the ability to create, edit, and publish mb_gallery objects.

2. Attack Vector Analysis

• Target Endpoint:
  1. WordPress REST API: POST /wp-json/wp/v2/mb_gallery (if show_in_rest is true).
  2. Standard Admin UI: wp-admin/post-new.php?post_type=mb_gallery.
• Authentication: Authenticated user with Author role.
• Vulnerable Parameter: The post_type itself is accessible to unauthorized roles for publication.
• Preconditions: The plugin must be active. An Author account is required.

3. Code Flow (Inferred)

1. Initialization: During the init hook, the plugin calls register_post_type( 'mb_gallery', $args ).
2. The Flaw: The $args array likely lacks a restrictive capability_type (e.g., it is absent or set to 'post') and does not set map_meta_cap => true with custom mapped capabilities.
3. Access Control: When a request is made to create a post of type mb_gallery, WordPress checks if the current user can edit_posts (for drafts) or publish_posts (for publishing).
4. Authorization Failure: Because an Author possesses publish_posts, the check passes for a post type that was intended to be restricted to Administrators.

4. Nonce Acquisition Strategy

If exploiting via the REST API, a REST nonce (wp_rest action) is required. If exploiting via the standard Admin UI, the browser handles nonces automatically.

Method: REST API Nonce

1. Identify Localization: WordPress typically localizes the REST nonce in the wp-api or wp-utils scripts, or it is provided by the theme/plugin.
2. Extraction:
   • Navigate to any dashboard page (e.g., /wp-admin/index.php) as the Author user.
   • Use browser_eval to extract the nonce from the wpApiSettings object.
3. JavaScript:

   window.wpApiSettings?.nonce
   

5. Exploitation Strategy

We will demonstrate the vulnerability by using an Author account to publish a new mb_gallery post via the REST API.

Step 1: Authentication
Log in as an Author user using the http_request tool to obtain session cookies.

Step 2: Nonce Extraction
Navigate to the dashboard and extract the wp_rest nonce.

Step 3: Create and Publish Gallery

• Endpoint: http://localhost:8080/wp-json/wp/v2/mb_gallery
• Method: POST
• Headers:
  • Content-Type: application/json
  • X-WP-Nonce: [EXTRACTED_NONCE]
• Payload:

  {
    "title": "Unauthorized Gallery by Author",
    "status": "publish",
    "content": "This gallery was created by an Author user."
  }
  

6. Test Data Setup

1. Install Plugin: Ensure meta-box-gallerymeta (v3.0.1 or lower) is installed and active.
2. Create User: Create a user with the Author role.
   • wp user create attacker attacker@example.com --role=author --user_pass=password123
3. No Existing Galleries: Ensure no galleries exist initially to make verification clear.
   • wp post delete $(wp post list --post_type=mb_gallery --format=ids) --force (if any exist).

7. Expected Results

• HTTP Response: The REST API should return 201 Created.
• Response Body: Should contain the details of the newly created gallery, including "status": "publish".
• Unauthorized Behavior: An Author should normally not be able to publish "Galleries" if they are considered a management/administrative feature of the plugin.

8. Verification Steps

After the HTTP request, verify the post creation via WP-CLI:

1. Check Post Count:
   • wp post list --post_type=mb_gallery
2. Verify Author and Status:
   • wp post list --post_type=mb_gallery --field=post_author --field=post_status
   • Confirm the post_author matches the Author's ID and post_status is publish.

9. Alternative Approaches

If the REST API is not enabled for this CPT (show_in_rest => false):

1. Standard Admin POST: Use browser_navigate to wp-admin/post-new.php?post_type=mb_gallery.
2. Form Submission: Use browser_eval to fill the title and click the "Publish" button.
3. Manual POST: Capture the POST request to wp-admin/post.php made by the browser and replicate it via http_request, ensuring the _wpnonce (for the add-post action) is included in the URL-encoded body.