WordPress Plugin Vulnerabilities

Modula Image Gallery – Photo Grid & Video Gallery < 2.13.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post/Page Editing

Description

The Modula Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.13.6. This is due to the plugin not properly verifying that a user is authorized to modify specific posts before updating them via the REST API. This makes it possible for authenticated attackers, with contributor level access and above, to update the title, excerpt, and content of arbitrary posts by passing post IDs in the modulaImages field when editing a gallery.

Affects Plugins

Plugin icon
modula-best-grid-gallery
Fixed in 2.13.7

References

CVE
CVE-2026-1254
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9b86d26e-cda0-4558-9967-3ec6f5eff510

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
type5afe
Verified
No
WPVDB ID
3ee0f2fa-fceb-46b3-ae2f-f6682e41378e

Timeline

Publicly Published
2026-02-13 (about 4 months ago)
Added
2026-02-13 (about 4 months ago)
Last Updated
2026-02-14 (about 4 months ago)

Other

Published
Title
Published
2025-04-22
Title
Appointment Booking Calendar < 1.3.93 - Missing Authorization
Published
2025-12-15
Title
Wbcom Designs < 2.1.2 - Missing Authorization
Published
2025-12-08
Title
Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms < 1.4.7 - Missing Authorization
Published
2026-01-07
Title
Speed Kit <= 2.0.2 - Missing Authorization
Published
2025-10-10
Title
Everest Backup < 2.3.9 - Missing Authorization