CVE-2026-1291— tigroumeow Meow Gallery 授权问题漏洞

Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

通过用户控制密钥绕过授权机制

tigroumeow Meow Gallery 授权问题漏洞

Meow Gallery是tigroumeow个人开发者的一款轻量级、精致的 WordPress 图库解决方案。 tigroumeow Meow Gallery 5.4.4及之前版本存在授权问题漏洞，该漏洞源于/wp - json/meow - gallery/v1/save_shortcode 这个 REST API 端点缺少权限检查，导致具有作者级别及以上权限的认证攻击者，通过提供用户可控的 id 值，能够任意创建或覆盖现有的图库短代码记录。

N/A

N/A