CVE-2026-1291
Description
The Meow Gallery WordPress plugin ≤5.4.4 lacks a capability check on its REST API save_shortcode endpoint, allowing Author-level users to create or overwrite arbitrary gallery shortcode records.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Meow Gallery WordPress plugin ≤5.4.4 lacks a capability check on its REST API save_shortcode endpoint, allowing Author-level users to create or overwrite arbitrary gallery shortcode records.
Vulnerability
The Meow Gallery plugin for WordPress (versions up to and including 5.4.4) exposes a REST API endpoint /wp-json/meow-gallery/v1/save_shortcode that is registered with a permission callback can_access_settings [1][3]. This callback does not verify whether the authenticated user owns or is authorized to modify the specific gallery shortcode record identified by the user-supplied id parameter. As a result, any authenticated user with at least Author-level access can send a POST request to this endpoint and arbitrarily create new gallery shortcode records or overwrite existing ones by controlling the id value [1]. The endpoint performs database update operations without checking the user's capability to modify the referenced record.
Exploitation
An attacker must be authenticated to the WordPress site with a role of Author or higher. No additional privileges or user interaction are required. The attacker crafts a POST request to /wp-json/meow-gallery/v1/save_shortcode with a chosen id (either an existing gallery shortcode ID to overwrite or a new ID to create) and the desired shortcode data. The server processes the request without verifying that the attacker owns the gallery record, thus allowing unauthorized modification or creation of gallery shortcodes [1][2].
Impact
Successful exploitation enables an attacker to arbitrarily create or overwrite gallery shortcode records. This can lead to unauthorized modification of gallery content, potentially injecting malicious shortcodes or altering the appearance and behavior of existing galleries. The impact is primarily on data integrity, as the attacker can modify gallery records without proper authorization. The attacker does not gain elevated privileges beyond their existing Author-level access, but they can affect content that may be displayed to other users [1].
Mitigation
The vulnerability is fixed in Meow Gallery version 5.4.5, as indicated by the changeset that adds proper capability checks to the save_shortcode endpoint [2]. Users should update the plugin to version 5.4.5 or later immediately. No workarounds are documented. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].
AI Insight generated on Jun 13, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=5.4.4
Patches
1r3469543Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/meow-gallery/trunk/classes/rest.phpnvd
- plugins.trac.wordpress.org/changeset/3469543/meow-gallerynvd
- plugins.trac.wordpress.org/changeset/3469543/meow-gallery/trunk/classes/rest.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- wordpress.org/plugins/meow-gallery/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/3386ea07-9c61-4b54-a451-1178ca6325cbnvd
News mentions
0No linked articles in our index yet.