Description
The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.
Published: 2026-06-13
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Meow Gallery for WordPress lacks a capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode. This permits any authenticated user with author‑level permissions or higher to create or overwrite gallery shortcode records by providing a user‑controlled id. The flaw enables arbitrary alteration of gallery configuration data and compromises the integrity of the gallery section.

Affected Systems

WordPress installations that have Meow Gallery version 5.4.4 or earlier are affected. The plugin, distributed by tigroumeow, is present on all sites using these releases. Any user of the plugin on a vulnerable site may exploit the flaw.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. EPSS data is not available and the vulnerability is not listed in CISA KEV. The endpoint is reachable via the REST API for any logged‑in author‑level user, and no additional privileges or conditions are required to exploit it. The attack path is straightforward, making the risk material for sites that expose author accounts and gallery functionality.

Generated by OpenCVE AI on June 13, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Meow Gallery to version 5.4.5 or later, which applies the missing capability checks on the save_shortcode endpoint.
  • If an immediate upgrade is not possible, block or restrict access to /wp-json/meow-gallery/v1/save_shortcode for non‑Administrator roles using a firewall rule, .htaccess directive, or a security plugin.
  • Audit existing gallery shortcode records for unauthorized changes, minimize the use of author‑level accounts, and employ multi‑factor authentication for users with content‑creation privileges.

Generated by OpenCVE AI on June 13, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
Description The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.
Title Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-13T08:29:40.890Z

Reserved: 2026-01-21T16:18:13.278Z

Link: CVE-2026-1291

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-13T10:16:18.643

Modified: 2026-06-13T10:16:18.643

Link: CVE-2026-1291

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T11:30:07Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key