Re Gallery – Responsive Photo Gallery <= 1.18.9 - Missing Authorization
Description
The Re Gallery – Responsive Photo Gallery plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.18.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.18.10
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-22486 ## 1. Vulnerability Summary The **Re Gallery – Responsive Photo Gallery** plugin (versions <= 1.18.9) contains a **Missing Authorization** vulnerability. This occurs because the plugin registers either an AJAX action or a REST API endpoint that performs…
Show full research plan
Exploitation Research Plan - CVE-2026-22486
1. Vulnerability Summary
The Re Gallery – Responsive Photo Gallery plugin (versions <= 1.18.9) contains a Missing Authorization vulnerability. This occurs because the plugin registers either an AJAX action or a REST API endpoint that performs sensitive gallery modifications without implementing a proper capability check (like current_user_can( 'manage_options' )) or a restrictive REST API permission_callback. This allows unauthenticated attackers to perform unauthorized actions, such as modifying gallery settings, titles, or configurations.
2. Attack Vector Analysis
- Endpoint: Likely a REST API endpoint under the namespace
regallery/v1/or awp_ajax_nopriv_handler. - Target Path: Inferred to be
wp-json/regallery/v1/gallery/(?P<id>\d+)based on frontend JS URL patterns. - HTTP Method:
POSTorPUT. - Payload: JSON or URL-encoded data containing gallery configuration parameters (e.g.,
title,settings,items). - Authentication: None required (unauthenticated).
- Preconditions: A gallery must exist on the site to be targeted (ID required).
3. Code Flow
- Entry Point: The plugin initializes REST routes during the
rest_api_inithook or AJAX handlers duringinit. - Registration: A route like
regallery/v1/gallery/(?P<id>\d+)is registered usingregister_rest_route. - Vulnerability: The
permission_callbackfor this route is either omitted (defaulting to allowed in older WP versions) or explicitly set to__return_true, failing to verify if the user has administrative privileges. - Sink: The callback function (e.g.,
update_gallery_settings) accepts user-supplied data from the request and updates the gallery's database record (either in thewp_poststable if galleries are CPTs or a customwp_regallerytable) without further authorization checks.
4. Nonce Acquisition Strategy
The frontend JS (assets/js/wp-gallery.js) indicates that the plugin uses a localization object named reacg_global to store configuration data. If a nonce is required for the REST API (standard for wp-json in many configurations), it will be found here.
- Identify Shortcode: The plugin typically uses a shortcode like
[regallery id="..."]to display galleries. - Create Test Content: Create a gallery and place its shortcode on a public page.
- Extract Nonce:
- Navigate to the page containing the gallery.
- Use
browser_evalto extract the nonce and base URL from the global object. - JS Variable:
window.reacg_global - Key:
window.reacg_global.nonceorwindow.reacg_global.rest_nonce. - Base URL:
window.reacg_global.baseUrl.
5. Exploitation Strategy
Step 1: Discover Target Gallery ID
Identify an existing gallery ID. If none exists, create one via WP-CLI.
Step 2: Extract Nonce
Use the browser to visit a page with a gallery and extract the reacg_global data.
Step 3: Perform Unauthorized Update
Send an unauthenticated POST request to the REST API to modify the gallery.
Request Template:
- Method:
POST - URL:
{{base_url}}/wp-json/regallery/v1/gallery/{{gallery_id}} - Headers:
Content-Type: application/jsonX-WP-Nonce: {{extracted_nonce}}(if required)
- Body:
{ "title": "Unauthorized Modification", "generalSettings": { "itemsPerPage": 999 } }
6. Test Data Setup
- Create a Gallery:
wp post create --post_type=regallery --post_title="Original Gallery" --post_status=publish
(Note: Verify the exact CPT slug ifregalleryis incorrect by runningwp post-type list). - Get the ID: Capture the ID of the created gallery.
- Create a Public Page:
wp post create --post_type=page --post_title="Gallery Page" --post_status=publish --post_content='[regallery id="ID_FROM_STEP_1"]'
7. Expected Results
- HTTP Response:
200 OKor201 Createdwith a JSON body confirming the update. - Data Change: The gallery's title or settings in the database will reflect the attacker's payload.
- Unauthorized Access: The request succeeds even when no authentication cookies are provided.
8. Verification Steps
Check the gallery state using WP-CLI after the exploit:
- Verify Title Change:
wp post get {{gallery_id}} --field=post_title - Verify Settings Change:
wp post get {{gallery_id}} --field=post_content(if settings are stored as JSON in content) orwp post-meta list {{gallery_id}}.
9. Alternative Approaches
- AJAX Endpoint: If the REST API is not the vector, search for
wp_ajax_nopriv_reacg_save_settingsorwp_ajax_nopriv_regallery_save_order. - Payload Variation: Try changing different fields. If
titleis protected, trythumbnailSettingsormosaicSettings(referenced inassets/js/wp-gallery.js). - Blind Injection: If the response doesn't confirm the change, check the frontend of the "Gallery Page" to see if the rendering behavior changed (e.g., more items per page).
Summary
The Re Gallery – Responsive Photo Gallery plugin for WordPress is vulnerable to unauthorized data modification due to missing capability checks on its REST API endpoints in versions up to 1.18.9. This allows unauthenticated attackers to modify gallery settings, titles, or configurations by sending unauthorized POST or PUT requests.
Security Fix
@@ -10,18 +10,19 @@ font-size: 13px; } -.reacg-upgrade { +a.reacg-upgrade { background-color: rgb(147 177 77); } -.reacg-upgrade:focus, -.reacg-upgrade:active, -.reacg-upgrade:hover { +a.reacg-upgrade:focus, +a.reacg-upgrade:active, +a.reacg-upgrade:hover { background-color: rgb(135 162 71); } -.reacg-upgrade, -.reacg-upgrade:active, -.reacg-upgrade:focus, -.reacg-upgrade:hover { +a.reacg-upgrade, +a.reacg-upgrade:active, +a.reacg-upgrade:focus, +a.reacg-upgrade:hover { + text-decoration: none; color: #FFFFFF; font-weight: 600; border-radius: 3px; @@ -33,7 +34,7 @@ box-shadow: none; } @media screen and (max-width: 782px) { - .reacg-upgrade { + a.reacg-upgrade { margin: 5px 8px; } } @@ -1 +1 @@ -!function(){var e={6020:function(e,t,n)... (truncated)
Exploit Outline
To exploit this vulnerability, an unauthenticated attacker identifies a valid gallery ID (often visible via shortcodes or frontend HTML). They then send a POST or PUT request to the REST API endpoint `wp-json/regallery/v1/gallery/{id}`. The request body includes a JSON payload targeting fields like 'title' or 'generalSettings' (e.g., itemsPerPage). Because the plugin lacks a permission_callback or administrative capability check on this route, the server updates the gallery settings in the database without verifying the requester's identity or permissions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.