The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4. This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a us [truncated]
CVE-2026-8719 is a privilege-escalation flaw in the AI Engine WordPress plugin’s MCP OAuth authorization flow. The issue stems from missing WordPress capability enforcement: if a requester presents any valid OAuth bearer token, MCP access is granted without confirming administrator-level privileges. In practical terms, authenticated users at Subscriber level or above may be able to invoke admin-level MCP [truncated]