{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1254", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-20T19:42:37.716Z", "datePublished": "2026-02-14T08:26:46.683Z", "dateUpdated": "2026-04-08T17:11:16.005Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:16.005Z"}, "affected": [{"vendor": "wpchill", "product": "Modula Image Gallery \u2013 Photo Grid & Video Gallery", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.13.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Modula Image Gallery \u2013 Photo Grid & Video Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.13.6. This is due to the plugin not properly verifying that a user is authorized to modify specific posts before updating them via the REST API. This makes it possible for authenticated attackers, with contributor level access and above, to update the title, excerpt, and content of arbitrary posts by passing post IDs in the modulaImages field when editing a gallery."}], "title": "Modula Image Gallery \u2013 Photo Grid & Video Gallery <= 2.13.6 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post/Page Editing", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b86d26e-cda0-4558-9967-3ec6f5eff510?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3447757/modula-best-grid-gallery/trunk/includes/admin/class-modula-cpt.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "timeline": [{"time": "2026-01-08T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-20T19:59:52.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-13T19:48:39.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:36:26.080595Z", "id": "CVE-2026-1254", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:44:44.198Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1254", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T15:36:26.080595Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:36:26.860Z"}}], "cna": {"title": "Modula Image Gallery \u2013 Photo Grid & Video Gallery <= 2.13.6 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post/Page Editing", "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpchill", "product": "Modula Image Gallery \u2013 Photo Grid & Video Gallery", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.13.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-08T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-20T19:59:52.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-13T19:48:39.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b86d26e-cda0-4558-9967-3ec6f5eff510?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3447757/modula-best-grid-gallery/trunk/includes/admin/class-modula-cpt.php"}], "descriptions": [{"lang": "en", "value": "The Modula Image Gallery \u2013 Photo Grid & Video Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.13.6. This is due to the plugin not properly verifying that a user is authorized to modify specific posts before updating them via the REST API. This makes it possible for authenticated attackers, with contributor level access and above, to update the title, excerpt, and content of arbitrary posts by passing post IDs in the modulaImages field when editing a gallery."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-14T08:26:46.683Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1254", "state": "PUBLISHED", "dateUpdated": "2026-02-17T15:44:44.198Z", "dateReserved": "2026-01-20T19:42:37.716Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T08:26:46.683Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Modula Image Gallery \u2013 Photo Grid & Video Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.13.6. This is due to the plugin not properly verifying that a user is authorized to modify specific posts before updating them via the REST API. This makes it possible for authenticated attackers, with contributor level access and above, to update the title, excerpt, and content of arbitrary posts by passing post IDs in the modulaImages field when editing a gallery."}, {"lang": "es", "value": "El plugin Modula Image Gallery \u2013 Photo Grid &amp; Video Gallery para WordPress es vulnerable a una omisi\u00f3n de autorizaci\u00f3n en todas las versiones hasta la 2.13.6, inclusive. Esto se debe a que el plugin no verifica correctamente que un usuario est\u00e1 autorizado para modificar publicaciones espec\u00edficas antes de actualizarlas a trav\u00e9s de la API REST. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, actualicen el t\u00edtulo, el extracto y el contenido de publicaciones arbitrarias al pasar IDs de publicaciones en el campo modulaImages al editar una galer\u00eda."}], "id": "CVE-2026-1254", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T09:16:12.020", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3447757/modula-best-grid-gallery/trunk/includes/admin/class-modula-cpt.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b86d26e-cda0-4558-9967-3ec6f5eff510?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.13.6]"}}], "product": "modula_image_gallery_\u2013_photo_grid_&_video_gallery", "vendor": "wpchill"}], "analysis": {"en": {"generated_at": "2026-04-15T20:36:40.993230+00:00", "value": {"mitigation_remediation": ["Update Modula Image Gallery to the latest available version to incorporate the authorization fix.", "If an update cannot be applied immediately, restrict contributor accounts from editing posts by changing role capabilities or removing the \"edit_posts\" capability from the contributor role.", "Disable or block the Modula REST API endpoints for unauthenticated or low-privilege users using a security plugin or custom code to enforce proper capability checks."], "summary": {"action": "Apply patch", "impact": "Unauthorized post modification"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the Modula Image Gallery \u2013 Photo Grid & Video Gallery plugin up to and including version 2.13.6, supplied by the wpchill vendor. Any WordPress site running a vulnerable version may be impacted, regardless of other plugins or theme configurations.", "description_and_impact": "The Modula Image Gallery plugin for WordPress allows an authenticated user with contributor-level permissions to modify arbitrary posts through its REST API. When editing a gallery, the plugin accepts a list of post IDs in the modulaImages field and blindly updates the title, excerpt, and content of those posts without verifying that the user is actually allowed to edit them. This missing authorization check enables content tampering, defacement, or introduction of malicious data on the site. The vulnerability aligns with CWE\u2011862, Missing Authorization.", "risk_and_exploitability": "The CVSS v3 score is 4.3, indicating moderate risk. EPSS is below 1%, meaning that the current likelihood of exploitation is low, and the flaw is not listed in the CISA KEV catalog. Attackers must be authenticated and possess at least contributor access, and the vector requires use of the plugin\u2019s REST API endpoint. While the exploit does not involve remote code execution or privilege escalation, the ability to alter arbitrary content can damage site integrity and trust."}}}}, "created": "2026-02-16T12:01:57.381419+00:00", "updated": "2026-04-15T20:45:06.382028+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpchill", "wpchill$PRODUCT$modula_image_gallery_\u2013_photo_grid_&_video_gallery"]}