CVE-2026-22486

Re Gallery – Responsive Photo Gallery <= 1.18.9 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.18.10
Patched in
99d
Time to patch

Description

The Re Gallery – Responsive Photo Gallery plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.18.9. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.18.9
PublishedJanuary 7, 2026
Last updatedApril 15, 2026
Affected pluginregallery

What Changed in the Fix

Changes introduced in v1.18.10

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-22486 ## 1. Vulnerability Summary The **Re Gallery – Responsive Photo Gallery** plugin (versions <= 1.18.9) contains a **Missing Authorization** vulnerability. This occurs because the plugin registers either an AJAX action or a REST API endpoint that performs…

Show full research plan

Exploitation Research Plan - CVE-2026-22486

1. Vulnerability Summary

The Re Gallery – Responsive Photo Gallery plugin (versions <= 1.18.9) contains a Missing Authorization vulnerability. This occurs because the plugin registers either an AJAX action or a REST API endpoint that performs sensitive gallery modifications without implementing a proper capability check (like current_user_can( 'manage_options' )) or a restrictive REST API permission_callback. This allows unauthenticated attackers to perform unauthorized actions, such as modifying gallery settings, titles, or configurations.

2. Attack Vector Analysis

  • Endpoint: Likely a REST API endpoint under the namespace regallery/v1/ or a wp_ajax_nopriv_ handler.
  • Target Path: Inferred to be wp-json/regallery/v1/gallery/(?P<id>\d+) based on frontend JS URL patterns.
  • HTTP Method: POST or PUT.
  • Payload: JSON or URL-encoded data containing gallery configuration parameters (e.g., title, settings, items).
  • Authentication: None required (unauthenticated).
  • Preconditions: A gallery must exist on the site to be targeted (ID required).

3. Code Flow

  1. Entry Point: The plugin initializes REST routes during the rest_api_init hook or AJAX handlers during init.
  2. Registration: A route like regallery/v1/gallery/(?P<id>\d+) is registered using register_rest_route.
  3. Vulnerability: The permission_callback for this route is either omitted (defaulting to allowed in older WP versions) or explicitly set to __return_true, failing to verify if the user has administrative privileges.
  4. Sink: The callback function (e.g., update_gallery_settings) accepts user-supplied data from the request and updates the gallery's database record (either in the wp_posts table if galleries are CPTs or a custom wp_regallery table) without further authorization checks.

4. Nonce Acquisition Strategy

The frontend JS (assets/js/wp-gallery.js) indicates that the plugin uses a localization object named reacg_global to store configuration data. If a nonce is required for the REST API (standard for wp-json in many configurations), it will be found here.

  1. Identify Shortcode: The plugin typically uses a shortcode like [regallery id="..."] to display galleries.
  2. Create Test Content: Create a gallery and place its shortcode on a public page.
  3. Extract Nonce:
    • Navigate to the page containing the gallery.
    • Use browser_eval to extract the nonce and base URL from the global object.
    • JS Variable: window.reacg_global
    • Key: window.reacg_global.nonce or window.reacg_global.rest_nonce.
    • Base URL: window.reacg_global.baseUrl.

5. Exploitation Strategy

Step 1: Discover Target Gallery ID

Identify an existing gallery ID. If none exists, create one via WP-CLI.

Step 2: Extract Nonce

Use the browser to visit a page with a gallery and extract the reacg_global data.

Step 3: Perform Unauthorized Update

Send an unauthenticated POST request to the REST API to modify the gallery.

Request Template:

  • Method: POST
  • URL: {{base_url}}/wp-json/regallery/v1/gallery/{{gallery_id}}
  • Headers:
    • Content-Type: application/json
    • X-WP-Nonce: {{extracted_nonce}} (if required)
  • Body:
    {
      "title": "Unauthorized Modification",
      "generalSettings": {
        "itemsPerPage": 999
      }
    }
    

6. Test Data Setup

  1. Create a Gallery:
    wp post create --post_type=regallery --post_title="Original Gallery" --post_status=publish
    (Note: Verify the exact CPT slug if regallery is incorrect by running wp post-type list).
  2. Get the ID: Capture the ID of the created gallery.
  3. Create a Public Page:
    wp post create --post_type=page --post_title="Gallery Page" --post_status=publish --post_content='[regallery id="ID_FROM_STEP_1"]'

7. Expected Results

  • HTTP Response: 200 OK or 201 Created with a JSON body confirming the update.
  • Data Change: The gallery's title or settings in the database will reflect the attacker's payload.
  • Unauthorized Access: The request succeeds even when no authentication cookies are provided.

8. Verification Steps

Check the gallery state using WP-CLI after the exploit:

  1. Verify Title Change:
    wp post get {{gallery_id}} --field=post_title
  2. Verify Settings Change:
    wp post get {{gallery_id}} --field=post_content (if settings are stored as JSON in content) or wp post-meta list {{gallery_id}}.

9. Alternative Approaches

  • AJAX Endpoint: If the REST API is not the vector, search for wp_ajax_nopriv_reacg_save_settings or wp_ajax_nopriv_regallery_save_order.
  • Payload Variation: Try changing different fields. If title is protected, try thumbnailSettings or mosaicSettings (referenced in assets/js/wp-gallery.js).
  • Blind Injection: If the response doesn't confirm the change, check the frontend of the "Gallery Page" to see if the rendering behavior changed (e.g., more items per page).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Re Gallery – Responsive Photo Gallery plugin for WordPress is vulnerable to unauthorized data modification due to missing capability checks on its REST API endpoints in versions up to 1.18.9. This allows unauthenticated attackers to modify gallery settings, titles, or configurations by sending unauthorized POST or PUT requests.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/regallery/1.18.9/assets/css/deactivation.css /home/deploy/wp-safety.org/data/plugin-versions/regallery/1.18.10/assets/css/deactivation.css
--- /home/deploy/wp-safety.org/data/plugin-versions/regallery/1.18.9/assets/css/deactivation.css	2026-04-05 21:27:36.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/regallery/1.18.10/assets/css/deactivation.css	2026-04-09 20:47:04.000000000 +0000
@@ -10,18 +10,19 @@
   font-size: 13px;
 }
 
-.reacg-upgrade {
+a.reacg-upgrade {
   background-color: rgb(147 177 77);
 }
-.reacg-upgrade:focus,
-.reacg-upgrade:active,
-.reacg-upgrade:hover {
+a.reacg-upgrade:focus,
+a.reacg-upgrade:active,
+a.reacg-upgrade:hover {
   background-color: rgb(135 162 71);
 }
-.reacg-upgrade,
-.reacg-upgrade:active,
-.reacg-upgrade:focus,
-.reacg-upgrade:hover {
+a.reacg-upgrade,
+a.reacg-upgrade:active,
+a.reacg-upgrade:focus,
+a.reacg-upgrade:hover {
+  text-decoration: none;
   color: #FFFFFF;
   font-weight: 600;
   border-radius: 3px;
@@ -33,7 +34,7 @@
   box-shadow: none;
 }
 @media screen and (max-width: 782px) {
-  .reacg-upgrade {
+  a.reacg-upgrade {
     margin: 5px 8px;
   }
 }
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/regallery/1.18.9/assets/js/wp-gallery.js /home/deploy/wp-safety.org/data/plugin-versions/regallery/1.18.10/assets/js/wp-gallery.js
--- /home/deploy/wp-safety.org/data/plugin-versions/regallery/1.18.9/assets/js/wp-gallery.js	2026-04-05 21:27:36.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/regallery/1.18.10/assets/js/wp-gallery.js	2026-04-09 20:47:04.000000000 +0000
@@ -1 +1 @@
-!function(){var e={6020:function(e,t,n)... (truncated)

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker identifies a valid gallery ID (often visible via shortcodes or frontend HTML). They then send a POST or PUT request to the REST API endpoint `wp-json/regallery/v1/gallery/{id}`. The request body includes a JSON payload targeting fields like 'title' or 'generalSettings' (e.g., itemsPerPage). Because the plugin lacks a permission_callback or administrative capability check on this route, the server updates the gallery settings in the database without verifying the requester's identity or permissions.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.