Description
Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions.
Published: 2026-06-15
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A PHP Object Injection flaw (CWE‑502 – Untrusted Data De‑Serialization) exists in the Modula Image Gallery plugin version 2.14.18 and earlier. The plugin unserializes input supplied by customers and does not perform strict validation or authentication. An attacker who can reach the plugin’s endpoint can send crafted serialized data that is deserialized and executed, allowing arbitrary PHP code to run under the web server’s permissions. This compromise affects confidentiality, integrity, and availability of the entire WordPress site because the code executes within the application’s full context.

Affected Systems

WordPress sites that use the WP Chill Modula Image Gallery plugin at any version equal to or older than 2.14.18 are affected. The vulnerability applies to all installations that have not been updated to 2.14.19 or later, regardless of server configuration or network exposure.

Risk and Exploitability

The CVSS base score of 7.2 classifies the flaw as high severity, while the EPSS value of less than 1% indicates that active exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. The attack vector is most likely a remote web request to the plugin’s HTTP interface, where malicious serialized payloads can be transmitted. Successful exploitation would grant full site compromise through remote code execution.

Generated by OpenCVE AI on June 18, 2026 at 01:06 UTC.

Remediation

Vendor Solution

Update the WordPress Modula Image Gallery Plugin to the latest available version (at least 2.14.19).


OpenCVE Recommended Actions

  • Upgrade the Modula Image Gallery plugin to version 2.14.19 or later.
  • If an upgrade cannot be performed immediately, deactivate or uninstall the plugin to eliminate the attack surface.
  • Conduct a security review of the site to detect code changes or backdoors that may have been implanted through exploitation.

Generated by OpenCVE AI on June 18, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpchill
Wpchill modula Image Gallery
Vendors & Products Wordpress
Wordpress wordpress
Wpchill
Wpchill modula Image Gallery

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions.
Title WordPress Modula Image Gallery plugin <= 2.14.18 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Wordpress Wordpress
Wpchill Modula Image Gallery
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T18:05:20.377Z

Reserved: 2026-04-07T10:42:07.236Z

Link: CVE-2026-39481

cve-icon Vulnrichment

Updated: 2026-06-16T18:05:05.475Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:44.467

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T01:15:15Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data