CVE-2026-1254

CVE-2026-1254 (Modula Image Gallery – Photo Grid & Video Gallery, WordPress) is a vulnerability in versions up to 2.13.6 where an authorization bypass exists due to improper verification of a user’s rights to modify posts via the REST API. Authenticated attackers with contributor level access and...

CVE-2025-13646

The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajaxunzipfile' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files...

CVE-2025-13646

Summary: CVE-2025-13646 affects the Modula Image Gallery plugin for WordPress (versions 2.13.1–2.13.2). The root cause is missing file type validation in the ajax_unzip_file function, enabling authenticated attackers with Author-level access or higher to upload arbitrary files via a race conditio...

CVE-2025-13645

The CVE-2025-13645 entry concerns the Modula Image Gallery WordPress plugin. Affected versions 2.13.1–2.13.2 are vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_unzip_file function. Authenticated attackers with Author-level access or higher can delete ar...

CVE-2020-9003

A stored XSS vulnerability exists in the Modula Image Gallery plugin before 2.2.5 for WordPress. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users...