Description
The Modula Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.13.6. This is due to the plugin not properly verifying that a user is authorized to modify specific posts before updating them via the REST API. This makes it possible for authenticated attackers, with contributor level access and above, to update the title, excerpt, and content of arbitrary posts by passing post IDs in the modulaImages field when editing a gallery.
Published: 2026-02-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized post modification
Action: Apply patch
AI Analysis

Impact

The Modula Image Gallery plugin for WordPress allows an authenticated user with contributor-level permissions to modify arbitrary posts through its REST API. When editing a gallery, the plugin accepts a list of post IDs in the modulaImages field and blindly updates the title, excerpt, and content of those posts without verifying that the user is actually allowed to edit them. This missing authorization check enables content tampering, defacement, or introduction of malicious data on the site. The vulnerability aligns with CWE‑862, Missing Authorization.

Affected Systems

The vulnerability affects all installations of the Modula Image Gallery – Photo Grid & Video Gallery plugin up to and including version 2.13.6, supplied by the wpchill vendor. Any WordPress site running a vulnerable version may be impacted, regardless of other plugins or theme configurations.

Risk and Exploitability

The CVSS v3 score is 4.3, indicating moderate risk. EPSS is below 1%, meaning that the current likelihood of exploitation is low, and the flaw is not listed in the CISA KEV catalog. Attackers must be authenticated and possess at least contributor access, and the vector requires use of the plugin’s REST API endpoint. While the exploit does not involve remote code execution or privilege escalation, the ability to alter arbitrary content can damage site integrity and trust.

Generated by OpenCVE AI on April 15, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Modula Image Gallery to the latest available version to incorporate the authorization fix.
  • If an update cannot be applied immediately, restrict contributor accounts from editing posts by changing role capabilities or removing the "edit_posts" capability from the contributor role.
  • Disable or block the Modula REST API endpoints for unauthenticated or low-privilege users using a security plugin or custom code to enforce proper capability checks.

Generated by OpenCVE AI on April 15, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpchill
Wpchill modula Image Gallery – Photo Grid & Video Gallery
Vendors & Products Wordpress
Wordpress wordpress
Wpchill
Wpchill modula Image Gallery – Photo Grid & Video Gallery

Sat, 14 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Modula Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.13.6. This is due to the plugin not properly verifying that a user is authorized to modify specific posts before updating them via the REST API. This makes it possible for authenticated attackers, with contributor level access and above, to update the title, excerpt, and content of arbitrary posts by passing post IDs in the modulaImages field when editing a gallery.
Title Modula Image Gallery – Photo Grid & Video Gallery <= 2.13.6 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post/Page Editing
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpchill Modula Image Gallery – Photo Grid & Video Gallery
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:16.005Z

Reserved: 2026-01-20T19:42:37.716Z

Link: CVE-2026-1254

cve-icon Vulnrichment

Updated: 2026-02-17T15:36:26.860Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T09:16:12.020

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:45:06Z

Weaknesses