cleantalk
Vulnerabilities and Security Researches

Gallery Block (Meow Gallery), CVE-2026-1291

CVE, Research URL

CVE-2026-1291

Home page URL

Security reports for Gallery Block (Meow Gallery)

Application

Gallery Block (Meow Gallery)

Published on
Jun 13, 2026
Research Description
The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.
Affected versions
max 5.4.5.
Status
vulnerable
Previous vulnerability researches
W3SCloud Contact Form 7 to Zoho CRM (CVE-2025-60169) , Oct 11, 2025
W3SCloud Contact Form 7 to Zoho CRM (CVE-2023-33999) , Jun 14, 2026
W3SCloud Contact Form 7 to Zoho CRM (CVE-2021-24435) , Jun 07, 2024
W3SCloud Contact Form 7 to Zoho CRM (CVE-2022-4974) , Nov 16, 2024
WP Zoho for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – CRM, Bigin (CVE-2025-49330) , Jun 13, 2026
New vulnerability
FAQ Manager For Divi, Gutenberg Block & Shortcode (CVE-2023-33999) , Jun 14, 2026
TablePress – Tables in WordPress made easy (CVE-2023-33999) , Jun 14, 2026
Docket Cache – Object Cache Accelerator (CVE-2026-22492) , Jun 14, 2026
Advanced Classifieds & Directory Pro (CVE-2023-33999) , Jun 14, 2026
Display Eventbrite Events (CVE-2023-33999) , Jun 14, 2026