CVE Catalog

CVE-2026-1291

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

20th percentile — higher than 20% of all known CVEs

Summary

The Meow Gallery plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to and including 5.4.4. This allows authenticated attackers with Author-level access and above to arbitrarily create or overwrite existing gallery shortcode records.

Risk Assessment

Attackers can exploit this vulnerability to make unauthorized modifications to galleries, potentially leading to data integrity loss and reputational issues for the organization.

Recommendation

It is recommended to update the Meow Gallery plugin to the latest version to mitigate this vulnerability and to implement additional permission checks on API endpoints.

Original NVD description (English source)

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS