PatchSiren cyber security CVE debrief
CVE-2026-1291 tigroumeow CVE debrief
The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4. This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.
- Vendor
- tigroumeow
- Product
- Meow Gallery
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-13
- Original CVE updated
- 2026-06-13
- Advisory published
- 2026-06-13
- Advisory updated
- 2026-06-13
Who should care
Users of the Meow Gallery plugin for WordPress, particularly those with Author-level access and above, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode. This allows authenticated attackers with Author-level access and above to modify data without proper authorization.
Defensive priority
MEDIUM
Recommended defensive actions
- Update the Meow Gallery plugin to a version that includes a fix for this vulnerability.
- Restrict access to the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode to only authorized users.
- Monitor for suspicious activity on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode.
Evidence notes
The vulnerability was reported by [email protected] and is tracked in the WordPress plugin repository.
Official resources
public