CVE-2026-39481

Vulnerability

A PHP Object Injection vulnerability exists in the Modula Image Gallery plugin for WordPress in versions up to and including 2.14.18 [1]. The vulnerability allows an attacker to inject arbitrary PHP objects via deserialization of user-supplied input. The flaw is an unauthorized PHP object injection, meaning no authentication is required to exploit it [1].

Exploitation

An attacker can exploit this vulnerability without any authentication, simply by sending a crafted request containing a malicious serialized PHP object to the affected plugin [1]. No prior access to the WordPress site is needed. The attack is network-based and can be performed remotely.

Impact

If a suitable POP chain is present in the application or installed plugins/themes, successful exploitation can lead to code injection, SQL injection, path traversal, denial of service, and other severe impacts [1]. The vulnerability has a CVSS v3 score of 7.2 (High) and is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vulnerability is fixed in version 2.14.19 of the plugin [1]. Users are strongly advised to update to this version immediately. Patchstack has also issued a mitigation rule to block attacks until the update is applied [1]. For Patchstack users, auto-update for vulnerable plugins can be enabled [1].