cleantalk
Vulnerabilities and Security Researches

Gallery Block (Meow Gallery), CVE-2026-1291

CVE, Research URL

CVE-2026-1291

Home page URL

Security reports for Gallery Block (Meow Gallery)

Application

Gallery Block (Meow Gallery)

Published on
Jun 13, 2026
Research Description
The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.
Affected versions
max 5.4.5.
Status
vulnerable
Previous vulnerability researches
Gallery Block (Meow Gallery) (CVE-2026-1291) , Jun 14, 2026
Gallery Block (Meow Gallery) (CVE-2024-4386) , Jun 07, 2024
Gallery Block (Meow Gallery) (CVE-2021-24465) , Jun 07, 2024
Gallery Block (Meow Gallery) (CVE-2026-32418) , Mar 30, 2026
Gallery Block (Meow Gallery) (CVE-2025-47449) , May 09, 2025
New vulnerability
FAQ Manager For Divi, Gutenberg Block & Shortcode (CVE-2023-33999) , Jun 14, 2026
TablePress – Tables in WordPress made easy (CVE-2023-33999) , Jun 14, 2026
Docket Cache – Object Cache Accelerator (CVE-2026-22492) , Jun 14, 2026
Advanced Classifieds & Directory Pro (CVE-2023-33999) , Jun 14, 2026
Display Eventbrite Events (CVE-2023-33999) , Jun 14, 2026