Executive Summary

The Meow Gallery plugin for WordPress has a vulnerability due to a missing capability check on its REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to and including 5.4.4.

This flaw allows authenticated users with Author-level access or higher to create or overwrite existing gallery shortcode records arbitrarily by supplying a user-controlled id value.

The endpoint performs database update operations without verifying if the user is authorized to modify the referenced gallery record or create their own, leading to unauthorized modification of data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers with Author-level access or above to arbitrarily create or overwrite gallery shortcode records in the database.

Such unauthorized modifications could lead to data integrity issues, unexpected behavior of the gallery plugin, or potential misuse of the gallery content.

While it does not impact confidentiality or availability directly, it impacts the integrity of the data managed by the plugin.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should update the Meow Gallery plugin to a version later than 5.4.4 where the issue is fixed.

Additionally, restrict Author-level access or higher privileges to trusted users only, as the vulnerability requires authenticated users with Author-level access or above.

If an immediate update is not possible, consider disabling or restricting access to the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode to prevent unauthorized modification.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized modification of data via the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in the Meow Gallery WordPress plugin. Detection would involve monitoring or testing access to this specific REST API endpoint.

To detect attempts to exploit this vulnerability on your system or network, you can look for HTTP requests targeting the endpoint /wp-json/meow-gallery/v1/save_shortcode, especially POST requests that attempt to create or modify gallery shortcode records.

Example commands to detect such activity include using curl to test the endpoint or using network monitoring tools to filter relevant traffic.

• Use curl to send a test POST request to the vulnerable endpoint (replace example.com with your site):
• curl -X POST https://example.com/wp-json/meow-gallery/v1/save_shortcode -d '{"id":"test"}' -H "Content-Type: application/json" -v
• Monitor web server logs or use tools like tcpdump or Wireshark to filter HTTP POST requests to /wp-json/meow-gallery/v1/save_shortcode.
• Example tcpdump command to capture such requests:
• sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/wp-json/meow-gallery/v1/save_shortcode'
• Check WordPress REST API access logs or security plugin logs for unauthorized POST requests to this endpoint from users with Author-level access.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated users with Author-level access and above to modify or create gallery shortcode records without proper authorization checks. This unauthorized modification of data could potentially lead to integrity issues within the affected WordPress site.

However, there is no specific information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0