CVE-2026-1291: 
WordPress Analyse et atténuation des vulnérabilités

CVE-2026-1291 is an authorization bypass vulnerability in the Meow Gallery plugin for WordPress, classified as Missing Authorization / Authorization Bypass Through User-Controlled Key (CWE-639). The flaw exists in the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode and affects all versions of the plugin up to and including 5.4.4. It was published on June 13, 2026, with a patch available in version 5.4.5. The vulnerability carries a CVSS v3.1 base score of 4.3 (Medium) (GitHub Advisory, Wordfence).

The root cause is a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode, classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The endpoint performs database update operations without verifying whether the requesting user is authorized to modify or create the referenced gallery shortcode record. An authenticated attacker with Author-level access or above can supply an arbitrary user-controlled id value to create new gallery shortcode records or overwrite existing ones. The vulnerable code is visible in the plugin's classes/rest.php file (GitHub Advisory, WordPress Trac).

Successful exploitation allows an authenticated attacker with Author-level access or above to arbitrarily create or overwrite existing gallery shortcode records in the WordPress database. The impact is limited to data integrity — there is no confidentiality or availability impact — but unauthorized modification of gallery content could be used to deface site content or inject malicious shortcodes depending on how shortcodes are rendered. The scope is unchanged, meaning the impact is confined to the affected WordPress installation (GitHub Advisory, Wordfence).

1. Reconnaissance: Identify WordPress sites running the Meow Gallery plugin version 5.4.4 or earlier. This can be done by checking the plugin's readme.txt or stable tag via the WordPress plugin directory path (e.g., /wp-content/plugins/meow-gallery/readme.txt).
2. Obtain Author-level credentials: Gain authenticated access to the target WordPress site with at least Author-level privileges (e.g., through credential stuffing, phishing, or a compromised account).
3. Authenticate and obtain a nonce: Log in to the WordPress site and retrieve a valid REST API nonce, typically available via the WordPress REST API or embedded in page source.
4. Craft malicious REST API request: Send an authenticated HTTP POST request to /wp-json/meow-gallery/v1/save_shortcode with a user-controlled id parameter set to either a new value (to create a record) or an existing gallery record's ID (to overwrite it), along with desired shortcode content.
5. Achieve unauthorized data modification: The endpoint processes the request without verifying ownership or authorization, resulting in the creation or overwrite of the targeted gallery shortcode record in the WordPress database (GitHub Advisory, Wordfence).

• Network: Unexpected or repeated POST requests to /wp-json/meow-gallery/v1/save_shortcode from Author-level user accounts, especially with varying or sequential id parameter values.
• Logs: WordPress access logs showing REST API calls to the meow-gallery/v1/save_shortcode endpoint from user accounts that do not typically manage gallery content; authentication logs showing Author-level accounts active at unusual times.
• Database: Unexpected creation or modification of gallery shortcode records in the WordPress database, particularly records not associated with the modifying user's content; audit trail showing database writes from low-privilege accounts to gallery tables.

Users should update the Meow Gallery plugin to version 5.4.5 or later, which introduces proper capability checks on the affected REST API endpoint (WordPress Trac Changeset). As a workaround, site administrators can restrict REST API access to trusted authenticated users only, or temporarily disable the Meow Gallery plugin until the update can be applied. Additionally, administrators should audit existing gallery shortcode records for unauthorized modifications and review user accounts with Author-level access or above (Wordfence, GitHub Advisory).

The vulnerability was reported and disclosed by Wordfence, which published a threat intelligence entry on June 13, 2026 (Wordfence). The advisory was also picked up by ENISA's EUVD database (EUVD-2026-36649) and aggregated by several vulnerability tracking platforms. No significant broader media coverage or notable researcher commentary beyond standard advisory distribution has been observed.