PT-2026-8098 · WordPress · Modula Image Gallery
Wpchill
·
Published
2026-02-14
·
Updated
2026-02-14
·
CVE-2026-1254
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Modula Image Gallery plugin for WordPress versions up to and including 2.13.6
Description
The plugin does not properly verify user authorization before allowing modifications to posts through the REST API. This allows authenticated attackers with contributor-level access or higher to update the title, excerpt, and content of any post by manipulating the
modulaImages field with specific post IDs when editing a gallery. The vulnerability affects the updating of posts via the REST API. The API endpoint used in the attack is not explicitly mentioned. The vulnerable parameter is modulaImages.Recommendations
Update the Modula Image Gallery plugin to a version later than 2.13.6.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Modula Image Gallery