CVE-2026-1254

Name of the Vulnerable Software and Affected Versions Modula Image Gallery plugin for WordPress versions up to and including 2.13.6

Description The plugin does not properly verify user authorization before allowing modifications to posts through the REST API. This allows authenticated attackers with contributor-level access or higher to update the title, excerpt, and content of any post by manipulating the modulaImages field with specific post IDs when editing a gallery. The vulnerability affects the updating of posts via the REST API. The API endpoint used in the attack is not explicitly mentioned. The vulnerable parameter is modulaImages.

Recommendations Update the Modula Image Gallery plugin to a version later than 2.13.6.