PatchSiren

tigroumeow CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM tigroumeow CVE published 2026-06-13

CVE-2026-1291

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4. This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a us [truncated]

HIGH tigroumeow CVE published 2026-05-17

CVE-2026-8719

CVE-2026-8719 is a privilege-escalation flaw in the AI Engine WordPress plugin’s MCP OAuth authorization flow. The issue stems from missing WordPress capability enforcement: if a requester presents any valid OAuth bearer token, MCP access is granted without confirming administrator-level privileges. In practical terms, authenticated users at Subscriber level or above may be able to invoke admin-level MCP [truncated]