EIP-2026-114167

PRE-CVE

WordPress Plugin Video Gallery 2.8 - Arbitrary Mail Relay

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114167. PoCs published by Claudio Viviani.

AI-analyzed exploit summary This exploit demonstrates an unprotected mail page vulnerability in WordPress Video Gallery 2.8, allowing unauthenticated users to send arbitrary emails by spoofing the Referer header. The PoC uses cURL to trigger the email function via admin-ajax.php.

Description

WordPress Plugin Video Gallery 2.8 - Arbitrary Mail Relay

Exploits (1)

exploitdb WORKING POC VERIFIED

by Claudio Viviani · textwebappsphp

https://www.exploit-db.com/exploits/37106

View Code ZIP pw:eip

This exploit demonstrates an unprotected mail page vulnerability in WordPress Video Gallery 2.8, allowing unauthenticated users to send arbitrary emails by spoofing the Referer header. The PoC uses cURL to trigger the email function via admin-ajax.php.

Classification

Working Poc 100%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: WordPress Video Gallery 2.8

No auth needed

Prerequisites: WordPress Video Gallery 2.8 installed · Access to the target's admin-ajax.php endpoint

MITRE ATT&CK

T1134 - Access Token Manipulation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026