Modula Image Gallery – Photo Grid & Video Gallery Vulnerability (Me…

Modula Image Gallery – Photo Grid & Video Gallery Vulnerability (Me…

by | Feb 13, 2026 | Plugins

Attack Vectors

CVE-2026-1254 is a Medium severity issue (CVSS 4.3) affecting the WordPress plugin Modula Image Gallery – Photo Grid & Video Gallery (slug: modula-best-grid-gallery) in versions 2.13.6 and earlier. The weakness can be abused through the plugin’s REST API workflow when a gallery is edited.

The attacker must already be logged into WordPress with at least Contributor access (or higher). From there, they can potentially target posts or pages they should not be able to change by supplying other content IDs via the plugin’s modulaImages field during gallery edits.

Security Weakness

The core problem is missing authorization checks for specific content changes. According to the published advisory, the plugin does not properly verify that the logged-in user is authorized to modify the particular post/page being updated before applying changes through the REST API.

As a result, an authenticated user who can edit a gallery may be able to update the title, excerpt, and content of arbitrary posts by referencing different post IDs in the modulaImages field.

Technical or Business Impacts

For marketing directors and executives, this is primarily a content integrity and brand trust risk. Unauthorized changes to landing pages, product pages, campaign copy, or compliance-related disclosures can create reputational damage, customer confusion, and operational disruption—even if the vulnerability is rated Medium and does not indicate direct data theft in the advisory.

Potential business impacts include: misaligned messaging during active campaigns, SEO setbacks from altered on-page content, delays while teams investigate and restore content, and compliance concerns if regulated statements or required notices are modified without approval. This is also an internal-control issue: it undermines role-based access expectations (e.g., Contributors affecting content beyond their permissions).

Remediation: Update Modula Image Gallery – Photo Grid & Video Gallery to version 2.13.7 or newer (patched). Prioritize sites where multiple users have Contributor+ access, where content updates are frequent, or where governance and approval workflows are critical.

Similar Attacks

This type of issue—where a logged-in user can do more than intended due to broken authorization—has appeared in other WordPress components and plugins. For context, here are a few real examples:

WordPress 4.7.1 REST API content injection (security release notice)

Elementor vulnerability coverage (Wordfence)

Vantage Vulnerability (Medium) – CVE-2026-5070

by

Attack Vectors CVE-2026-5070 is a Medium severity vulnerability (CVSS 6.4) affecting the Vantage WordPress theme (slug: vantage) in versions up to and including 1.20.32. It enables authenticated users with Contributor access or higher to inject malicious script into a...

WP Docs Vulnerability (Medium) – CVE-2026-3878

by

Attack Vectors CVE-2026-3878 is a Medium severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the WP Docs WordPress plugin (wp-docs) in versions 2.2.9 and below. The issue is exploitable by an authenticated user with Subscriber-level access or...

Recent Comments

    WPFore Subscribers