CVE-2026-0687 identifies a missing authorization vulnerability (CWE-862) in the Meta-box GalleryMeta plugin for WordPress, affecting all versions up to 3.0.1. The vulnerability stems from the absence of a proper capability check on the 'mb_gallery' custom post type, which is used to manage galleries within WordPress. Authenticated users with Author-level privileges or higher can exploit this flaw to create and publish galleries without the necessary permissions, bypassing intended access controls. This unauthorized modification of data compromises the integrity of the website's content management system. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS 3.1 base score of 4.3 reflects a medium severity, with an attack vector of network, low attack complexity, privileges required at the Author level, no user interaction, and impact limited to integrity loss without affecting confidentiality or availability. No known exploits have been reported in the wild, and no official patches have been released as of the published date. The vulnerability was reserved on January 7, 2026, and published on January 24, 2026, by Wordfence. The plugin is developed by shahinurislam and is used in WordPress environments to manage gallery content via custom post types. This vulnerability could be leveraged by malicious insiders or compromised accounts to inject unauthorized gallery content, potentially leading to defacement, misinformation, or other content integrity issues.

The primary impact of CVE-2026-0687 is the unauthorized modification of website content, specifically the creation and publication of galleries by users who should not have such permissions. This can undermine the integrity of affected WordPress sites, allowing attackers to insert malicious or misleading content, deface the site, or disrupt the user experience. While confidentiality and availability are not directly impacted, the integrity compromise can damage organizational reputation, erode user trust, and potentially facilitate further attacks such as phishing or malware distribution through manipulated galleries. Organizations relying on the Meta-box GalleryMeta plugin are at risk, especially those with multiple users having Author-level access or higher. The vulnerability could be exploited in multi-tenant or collaborative environments where user roles are broadly assigned. Since exploitation requires authenticated access, the threat is more relevant to insider threats or accounts compromised via credential theft. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks once exploit code becomes available.

To mitigate CVE-2026-0687, organizations should immediately audit and restrict user roles within WordPress, minimizing the number of users with Author-level or higher privileges. Implement the principle of least privilege by ensuring users only have the permissions necessary for their tasks. Monitor and review user activity logs for unusual gallery creation or publishing actions. Until an official patch is released, consider temporarily disabling or removing the Meta-box GalleryMeta plugin if it is not critical to operations. If the plugin is essential, implement additional access controls at the web server or application firewall level to restrict access to gallery management endpoints. Employ multi-factor authentication (MFA) to reduce the risk of account compromise. Stay informed about updates from the plugin vendor and apply patches promptly once available. Additionally, consider deploying content integrity monitoring tools to detect unauthorized changes to galleries or other content. Regular backups of website data should be maintained to enable recovery in case of compromise.