Is Deserialization affected by CVE-2026-22345?

A critical deserialization vulnerability in the WP Life Image Gallery plugin (versions ≤1.6.0) allows attackers to inject malicious objects, potentially compromising WordPress installations using this widely-deployed gallery solution.

CVE-2026-22345

Q: How to fix CVE-2026-22345?

Within 24 hours: Inventory all WordPress instances using WP Life Image Gallery and document version numbers; disable the plugin on all affected systems until patched. Within 7 days: Contact the vendor for patch availability and timeline; implement WAF rules to block suspicious serialized object patterns targeting the plugin. Within 30 days: Apply vendor patch immediately upon release, or migrate to alternative gallery plugins if no patch is forthcoming; conduct malware scans on all affected systems.

HIGH

2026-02-20 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

CVE Published

Feb 20, 2026 - 16:22 nvd

HIGH 8.8

Description

Deserialization of Untrusted Data vulnerability in A WP Life Image Gallery - Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery new-image-gallery allows Object Injection.This issue affects Image Gallery - Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery: from n/a through <= 1.6.0.

Analysis

Object injection in WP Life Image Gallery plugin versions 1.6.0 and earlier exploits unsafe deserialization to allow authenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability requires valid user credentials but no user interaction, making it exploitable by low-privileged accounts. …

Remediation

Within 24 hours: Inventory all WordPress instances using WP Life Image Gallery and document version numbers; disable the plugin on all affected systems until patched. Within 7 days: Contact the vendor for patch availability and timeline; implement WAF rules to block suspicious serialized object patterns targeting the plugin. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +44

POC: 0

CVE-2026-22345 vulnerability details – vuln.today

Back

CVE-2026-22345

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-22345

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code