CVE-2026-0687 Overview
CVE-2026-0687 affects the Meta-box GalleryMeta plugin for WordPress in all versions up to and including 3.0.1. The plugin fails to perform a capability check on the mb_gallery custom post type, allowing authenticated users with Author-level access to create and publish galleries they should not control. The flaw maps to CWE-862: Missing Authorization and represents a broken access control issue rather than a code execution vector. Attackers must hold valid credentials, which limits the attack surface to sites with multiple low-privilege contributor accounts.
Critical Impact
Authenticated attackers with Author-level access can bypass authorization controls to create and publish gallery content through the mb_gallery custom post type.
Affected Products
- Meta-box GalleryMeta plugin for WordPress, versions up to and including 3.0.1
- WordPress sites running the GalleryMeta plugin with Author-level (or higher) user accounts
- Any WordPress deployment registering the mb_gallery custom post type via this plugin
Discovery Timeline
- 2026-01-24 - CVE CVE-2026-0687 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-0687
Vulnerability Analysis
The vulnerability stems from a missing capability check in the GalleryMeta plugin's registration of the mb_gallery custom post type. WordPress custom post types require explicit capability_type and map_meta_cap configuration to enforce role-based access. When these settings default to generic post capabilities without dedicated meta-capability mapping, any user with edit_posts and publish_posts rights, including Author-level users, can create and publish content under the custom post type. The plugin code at gallerymetaboxes.php and include/posttype.php registers the gallery handler without verifying that the requesting user holds an appropriate role for gallery management. This produces an integrity impact because attackers can inject unauthorized content into the public-facing site. Confidentiality and availability remain unaffected, since the issue does not expose sensitive data or disrupt service.
Root Cause
The root cause is the absence of a capability check when handling submissions for the mb_gallery custom post type. The plugin relies on default WordPress post permissions instead of registering a dedicated capability set such as manage_galleries or restricting actions through current_user_can() checks. As documented in the WordPress Meta Box plugin source, the post type registration does not implement granular authorization for gallery creation operations.
Attack Vector
An attacker must first authenticate to the target WordPress site with at least Author-level privileges. Once authenticated, the attacker can submit gallery content through the standard WordPress admin interface or via the REST API endpoint associated with the mb_gallery post type. Because no role check restricts the action, the gallery is created and published successfully. The vulnerability requires network access to the WordPress administrative interface and low privileges, with no user interaction needed once credentials are obtained. Further technical detail is available in the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-0687
Indicators of Compromise
- Unexpected entries of post type mb_gallery in the wp_posts table authored by users who are not site administrators or editors
- Publication events for gallery content originating from Author-level or Contributor accounts in WordPress audit logs
- Anomalous POST requests to /wp-admin/post.php or /wp-json/wp/v2/mb_gallery endpoints from low-privilege accounts
Detection Strategies
- Query the WordPress database for post_type = 'mb_gallery' records and cross-reference post_author against the list of authorized gallery managers
- Enable WordPress activity logging plugins to capture custom post type creation events with role context
- Monitor web server access logs for write operations against gallery-related admin endpoints by non-privileged users
Monitoring Recommendations
- Forward WordPress audit logs to a centralized SIEM and alert on creation of mb_gallery posts by Author-level accounts
- Track plugin version inventory across managed WordPress sites and flag installations of GalleryMeta at or below version 3.0.1
- Baseline expected gallery publication patterns and alert on deviations such as bulk creation events
How to Mitigate CVE-2026-0687
Immediate Actions Required
- Update the Meta-box GalleryMeta plugin to a version newer than 3.0.1 once the vendor releases a patched release
- Audit existing user accounts and reduce privileges for users who do not require Author or higher roles
- Review and remove any unauthorized mb_gallery posts created by low-privilege accounts
Patch Information
No fixed version is referenced in the NVD record at the time of publication. Administrators should monitor the WordPress plugin repository and the Wordfence advisory for an updated release addressing the missing capability check.
Workarounds
- Temporarily deactivate the GalleryMeta plugin until a patched version is available
- Restrict Author-level access on affected sites and require Editor or Administrator roles for content publication
- Apply a custom map_meta_cap filter in a site-specific plugin to enforce a stricter capability such as edit_others_posts for the mb_gallery post type
# Configuration example: identify vulnerable installations via WP-CLI
wp plugin list --name=meta-box-gallerymeta --fields=name,status,version
wp plugin deactivate meta-box-gallerymeta
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
