Meow Gallery

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.

Basic Information

ID CVE-2026-1291

Source Wordfence

Published Jun 13, 2026 at 08:29

Affected Product

Vendor tigroumeow

Product Meow Gallery

Affected Versions tigroumeow Meow Gallery 0

CWE Classification

CWE-639

References

{
    "lastseen": "",
    "description": "The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.",
    "published": "2026-06-13T08:29:40.890Z",
    "modified": "2026-06-13T08:29:40.890Z",
    "type": "cve",
    "title": "Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3386ea07-9c61-4b54-a451-1178ca6325cb?source=cve\nhttps://plugins.trac.wordpress.org/browser/meow-gallery/trunk/classes/rest.php\nhttps://wordpress.org/plugins/meow-gallery/\nhttps://plugins.trac.wordpress.org/changeset/3469543/meow-gallery\nhttps://plugins.trac.wordpress.org/changeset/3469543/meow-gallery/trunk/classes/rest.php\nhttps://plugins.trac.wordpress.org/changeset?old_path=%2Fmeow-gallery/tags/5.4.4&new_path=%2Fmeow-gallery/tags/5.4.5",
    "id": "CVE-2026-1291",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "tigroumeow Meow Gallery 0",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Meow Gallery",
    "version": "0",
    "vendor": "tigroumeow",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation_CVE-2026-1291