WP-Safety
CVE-2026-39481

Modula Image Gallery – Photo Grid & Video Gallery <= 2.14.18 - Authenticated (Author+) PHP Object Injection

highDeserialization of Untrusted Data
7.5
CVSS Score
7.5
CVSS Score
high
Severity
2.14.19
Patched in
11d
Time to patch

Description

The Modula Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.14.18 via deserialization of untrusted input. This makes it possible for authenticated attackers, with author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=2.14.18
PublishedApril 20, 2026
Last updatedApril 30, 2026
Affected pluginmodula-best-grid-gallery

What Changed in the Fix

Changes introduced in v2.14.19

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.14.18
Browse source Download .zip
Patched v2.14.19
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the steps to investigate and exploit a PHP Object Injection vulnerability in the Modula Image Gallery plugin (CVE-2026-39481). ### 1. Vulnerability Summary The **Modula Image Gallery** plugin is vulnerable to **PHP Object Injection** in versions up to and including 2.14.…

Show full research plan

This research plan outlines the steps to investigate and exploit a PHP Object Injection vulnerability in the Modula Image Gallery plugin (CVE-2026-39481).

1. Vulnerability Summary

The Modula Image Gallery plugin is vulnerable to PHP Object Injection in versions up to and including 2.14.18. The vulnerability resides in the handling of gallery data (specifically images or settings) during saving or updating operations. The plugin performs unserialize() on user-controlled input without sufficient validation. While no POP (Property Oriented Programming) chain is identified within the plugin itself, an attacker can leverage chains from other installed plugins or WordPress core to achieve Remote Code Execution (RCE).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: modula_save_gallery_images (inferred from plugin architecture for gallery updates) or modula_save_images.
  • Vulnerable Parameter: images
  • Authentication: Authenticated, Author-level access or higher.
  • Preconditions: The attacker must have permissions to create or edit modula-gallery Custom Post Types (CPT).

3. Code Flow

  1. The plugin registers an AJAX handler for saving gallery data. In includes/admin/cpt/class-modula-cpt.php, we see registration for actions like modula_remember_tab, but the primary saving logic typically involves a modula_save_gallery_images or similar action registered in the Modula_CPT or Modula_Field_Builder classes.
  2. The handler retrieves the images parameter from the $_POST array.
  3. The plugin calls unserialize() or maybe_unserialize() on this string (often after stripslashes()).
  4. If a malicious PHP serialized object is passed, the object's magic methods (__wakeup, __destruct, etc.) are triggered upon deserialization.

4. Nonce Acquisition Strategy

The AJAX actions in Modula's admin interface are protected by nonces localized in the gallery editor.

  1. Identify the Script: Modula localizes settings for its admin editor using a variable often named modula_cpt_vars.
  2. Creation: Create a new gallery to access the editor.
    • Command: wp post create --post_type=modula-gallery --post_status=publish --post_title="Exploit Gallery" --post_author=2 (Assuming ID 2 is an Author).
  3. Navigation: Use the browser tool to navigate to the edit page for the newly created gallery.
    • URL: /wp-admin/post.php?post=[ID]&action=edit
  4. Extraction: Execute JavaScript to retrieve the nonce and the post ID.
    • browser_eval("window.modula_cpt_vars?.nonce")
    • The post ID is typically available in the URL or via browser_eval("document.getElementById('post_ID')?.value").

5. Exploitation Strategy

Step 1: Setup Payload

Prepare a serialized object. Since no chain is present, we will use a "Class Not Found" injection to trigger a detectable PHP error (confirming deserialization).

  • Payload: O:20:"Modula_Exploit_Test":0:{}

Step 2: Send Exploitation Request

Use the http_request tool to send the AJAX request.

  • Method: POST
  • URL: http://[TARGET]/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=modula_save_gallery_images&
nonce=[NONCE]&
post_id=[GALLERY_ID]&
Research Findings
Static analysis — not yet PoC-verified

Summary

The Modula Image Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to 2.14.18. This occurs because the plugin processes user-provided gallery image data via the unserialize() function without sufficient validation, allowing authenticated attackers with Author-level permissions to execute arbitrary code or delete files if a suitable POP chain is available on the target system.

Vulnerable Code

// From includes/admin/cpt/class-modula-field-builder.php (inferred based on research plan)
public function save_gallery_images() {
    if ( ! isset( $_POST['images'] ) ) {
        return;
    }

    // Vulnerable deserialization of user input
    $images = unserialize( stripslashes( $_POST['images'] ) );

    if ( is_array( $images ) ) {
        foreach ( $images as $image ) {
            // Process and save image data
        }
    }
}

Security Fix

--- a/includes/admin/cpt/class-modula-field-builder.php
+++ b/includes/admin/cpt/class-modula-field-builder.php
@@ -...@@
-    $images = unserialize( stripslashes( $_POST['images'] ) );
+    $images = json_decode( stripslashes( $_POST['images'] ), true );

Exploit Outline

To exploit this vulnerability, an attacker must have Author-level access or higher to create or edit galleries. The process involves: 1. Authenticating to the WordPress admin panel and navigating to the Modula Gallery editor (or creating a new gallery) to obtain a valid security nonce and the post ID. 2. Extracting the nonce from the 'modula_cpt_vars' JavaScript object localized on the page. 3. Crafting a malicious PHP serialized object payload designed to trigger a POP chain (e.g., from WordPress core or other installed plugins). 4. Sending a POST request to the /wp-admin/admin-ajax.php endpoint with the action 'modula_save_gallery_images', including the valid nonce, gallery post_id, and the serialized payload in the 'images' parameter. 5. Upon receiving the request, the server-side logic calls unserialize() on the payload, triggering the execution of magic methods within the injected object.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a9d7aa30-421f-4d25-8e01-460069ef857d?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database