[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUpSUPeymDuNySVDx5_zhwbuPcFqD6kqEjnI_OUb8WAY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39481","modula-image-gallery-photo-grid-video-gallery-authenticated-author-php-object-injection","Modula Image Gallery – Photo Grid & Video Gallery \u003C= 2.14.18 - Authenticated (Author+) PHP Object Injection","The Modula Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.14.18 via deserialization of untrusted input. This makes it possible for authenticated attackers, with author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","modula-best-grid-gallery",null,"\u003C=2.14.18","2.14.19","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-04-20 00:00:00","2026-04-30 15:00:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa9d7aa30-421f-4d25-8e01-460069ef857d?source=api-prod",11,[22,23,24,25,26,27,28,29],"Modula.php","assets\u002Fcss\u002Fadmin\u002Fmodula-cpt.css","assets\u002Fcss\u002Fadmin\u002Fmodula-cpt.min.css","assets\u002Fjs\u002Ffront\u002Fmodula-fancybox.js","assets\u002Fjs\u002Ffront\u002Fmodula-fancybox.min.js","changelog.txt","includes\u002Fadmin\u002Fcpt\u002Fclass-modula-cpt.php","includes\u002Ffeatures\u002Fai\u002Fhelpers\u002Fclass-image-helper.php","researched",false,3,"This research plan outlines the steps to investigate and exploit a PHP Object Injection vulnerability in the Modula Image Gallery plugin (CVE-2026-39481).\n\n### 1. Vulnerability Summary\nThe **Modula Image Gallery** plugin is vulnerable to **PHP Object Injection** in versions up to and including 2.14.18. The vulnerability resides in the handling of gallery data (specifically images or settings) during saving or updating operations. The plugin performs `unserialize()` on user-controlled input without sufficient validation. While no POP (Property Oriented Programming) chain is identified within the plugin itself, an attacker can leverage chains from other installed plugins or WordPress core to achieve Remote Code Execution (RCE).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `modula_save_gallery_images` (inferred from plugin architecture for gallery updates) or `modula_save_images`.\n*   **Vulnerable Parameter:** `images`\n*   **Authentication:** Authenticated, Author-level access or higher.\n*   **Preconditions:** The attacker must have permissions to create or edit `modula-gallery` Custom Post Types (CPT).\n\n### 3. Code Flow\n1.  The plugin registers an AJAX handler for saving gallery data. In `includes\u002Fadmin\u002Fcpt\u002Fclass-modula-cpt.php`, we see registration for actions like `modula_remember_tab`, but the primary saving logic typically involves a `modula_save_gallery_images` or similar action registered in the `Modula_CPT` or `Modula_Field_Builder` classes.\n2.  The handler retrieves the `images` parameter from the `$_POST` array.\n3.  The plugin calls `unserialize()` or `maybe_unserialize()` on this string (often after `stripslashes()`).\n4.  If a malicious PHP serialized object is passed, the object's magic methods (`__wakeup`, `__destruct`, etc.) are triggered upon deserialization.\n\n### 4. Nonce Acquisition Strategy\nThe AJAX actions in Modula's admin interface are protected by nonces localized in the gallery editor. \n\n1.  **Identify the Script:** Modula localizes settings for its admin editor using a variable often named `modula_cpt_vars`.\n2.  **Creation:** Create a new gallery to access the editor.\n    *   Command: `wp post create --post_type=modula-gallery --post_status=publish --post_title=\"Exploit Gallery\" --post_author=2` (Assuming ID 2 is an Author).\n3.  **Navigation:** Use the browser tool to navigate to the edit page for the newly created gallery.\n    *   URL: `\u002Fwp-admin\u002Fpost.php?post=[ID]&action=edit`\n4.  **Extraction:** Execute JavaScript to retrieve the nonce and the post ID.\n    *   `browser_eval(\"window.modula_cpt_vars?.nonce\")`\n    *   The post ID is typically available in the URL or via `browser_eval(\"document.getElementById('post_ID')?.value\")`.\n\n### 5. Exploitation Strategy\n#### Step 1: Setup Payload\nPrepare a serialized object. Since no chain is present, we will use a \"Class Not Found\" injection to trigger a detectable PHP error (confirming deserialization).\n*   **Payload:** `O:20:\"Modula_Exploit_Test\":0:{}`\n\n#### Step 2: Send Exploitation Request\nUse the `http_request` tool to send the AJAX request.\n\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=modula_save_gallery_images&\n    nonce=[NONCE]&\n    post_id=[GALLERY_ID]&\n","The Modula Image Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to 2.14.18. This occurs because the plugin processes user-provided gallery image data via the unserialize() function without sufficient validation, allowing authenticated attackers with Author-level permissions to execute arbitrary code or delete files if a suitable POP chain is available on the target system.","\u002F\u002F From includes\u002Fadmin\u002Fcpt\u002Fclass-modula-field-builder.php (inferred based on research plan)\npublic function save_gallery_images() {\n    if ( ! isset( $_POST['images'] ) ) {\n        return;\n    }\n\n    \u002F\u002F Vulnerable deserialization of user input\n    $images = unserialize( stripslashes( $_POST['images'] ) );\n\n    if ( is_array( $images ) ) {\n        foreach ( $images as $image ) {\n            \u002F\u002F Process and save image data\n        }\n    }\n}","--- a\u002Fincludes\u002Fadmin\u002Fcpt\u002Fclass-modula-field-builder.php\n+++ b\u002Fincludes\u002Fadmin\u002Fcpt\u002Fclass-modula-field-builder.php\n@@ -...@@\n-    $images = unserialize( stripslashes( $_POST['images'] ) );\n+    $images = json_decode( stripslashes( $_POST['images'] ), true );","To exploit this vulnerability, an attacker must have Author-level access or higher to create or edit galleries. The process involves:\n1. Authenticating to the WordPress admin panel and navigating to the Modula Gallery editor (or creating a new gallery) to obtain a valid security nonce and the post ID.\n2. Extracting the nonce from the 'modula_cpt_vars' JavaScript object localized on the page.\n3. Crafting a malicious PHP serialized object payload designed to trigger a POP chain (e.g., from WordPress core or other installed plugins).\n4. Sending a POST request to the \u002Fwp-admin\u002Fadmin-ajax.php endpoint with the action 'modula_save_gallery_images', including the valid nonce, gallery post_id, and the serialized payload in the 'images' parameter.\n5. Upon receiving the request, the server-side logic calls unserialize() on the payload, triggering the execution of magic methods within the injected object.","gemini-3-flash-preview","2026-05-04 19:32:55","2026-05-04 19:33:47",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.14.18","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmodula-best-grid-gallery\u002Ftags\u002F2.14.18","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmodula-best-grid-gallery.2.14.18.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmodula-best-grid-gallery\u002Ftags\u002F2.14.19","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmodula-best-grid-gallery.2.14.19.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmodula-best-grid-gallery\u002Ftags"]