CVE-2026-0687 identifies a missing authorization vulnerability (CWE-862) in the Meta-box GalleryMeta plugin for WordPress, affecting all versions up to and including 3.0.1. The root cause is the absence of a proper capability check on the 'mb_gallery' custom post type, which governs gallery content management within the plugin. This flaw allows any authenticated user with Author-level privileges or higher to create and publish galleries without further authorization, bypassing intended access controls. Since WordPress roles such as Author are commonly assigned to content creators who may not be fully trusted, this vulnerability can be exploited to inject unauthorized content or manipulate existing galleries, potentially damaging website integrity or enabling further attacks such as phishing or malware distribution. The vulnerability does not impact confidentiality or availability directly and requires no user interaction, but it does allow integrity compromise with relatively low attack complexity. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The vulnerability was published on January 24, 2026, with a CVSS v3.1 base score of 4.3, indicating medium severity. The attack vector is network-based, with low attack complexity and privileges required, and no user interaction needed. The scope remains unchanged as the vulnerability affects only the plugin's data. This vulnerability highlights the importance of enforcing capability checks on custom post types in WordPress plugins to prevent unauthorized content manipulation.

For European organizations, the vulnerability poses a moderate risk primarily to the integrity of website content managed via WordPress installations using the Meta-box GalleryMeta plugin. Attackers with Author-level access can inject or modify gallery content, potentially defacing websites, distributing malicious media, or misleading users through unauthorized content. This can damage brand reputation, reduce user trust, and potentially facilitate further attacks such as social engineering or malware delivery. Since the vulnerability does not affect confidentiality or availability, direct data breaches or service outages are unlikely. However, organizations with public-facing websites that rely on user-generated content or have multiple authors are at higher risk. The impact is more pronounced for sectors with high web presence such as media, e-commerce, and education. Given the widespread use of WordPress in Europe, especially in countries with large digital economies, the vulnerability could affect a significant number of sites if unmitigated. The lack of known exploits reduces immediate risk but should not lead to complacency.

1. Immediately restrict Author-level permissions to trusted users only, minimizing the number of users who can exploit this vulnerability. 2. Monitor and audit user roles and capabilities within WordPress to ensure no unauthorized privilege escalation. 3. Disable or uninstall the Meta-box GalleryMeta plugin if it is not essential to reduce attack surface. 4. Implement web application firewalls (WAFs) with custom rules to detect and block unauthorized gallery creation or modification attempts. 5. Regularly review and update WordPress plugins and core to the latest versions once a patch for this vulnerability is released. 6. Employ content integrity monitoring tools to detect unauthorized changes to galleries or media content. 7. Educate content authors about the risks of privilege misuse and enforce strong authentication mechanisms to prevent account compromise. 8. If possible, isolate gallery management functionality to higher privilege roles until a fix is available. 9. Engage with plugin developers or security communities to track patch availability and vulnerability disclosures.