Skip to main content

My Album Gallery CVE-2026-22485

| EUVDEUVD-2026-15491 MEDIUM
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-pj75-vx8x-rmq9
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15491
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Album Gallery: from n/a through <= 1.0.4.

AnalysisAI

Improper access control in My Album Gallery versions up to 1.0.4 enables authenticated users to modify gallery data they should not have permission to access. An attacker with valid credentials can exploit this misconfiguration to alter or manipulate album content without proper authorization checks.

Technical ContextAI

The vulnerability resides in the Ruhul Amin My Album Gallery WordPress plugin, identified via CPE cpe:2.3:a:ruhul_amin:my_album_gallery:*:*:*:*:*:*:*:*. The root cause is classified under CWE-862 (Missing Authorization), which describes situations where a software system fails to properly enforce access control restrictions before allowing users to access or modify resources. In WordPress plugin architecture, this typically occurs when capability checks (using functions like current_user_can()) are absent or improperly implemented in action hooks and AJAX handlers. The plugin fails to validate user permissions at critical control points, allowing unauthenticated or low-privilege users to execute administrative operations such as file deletion. This is a common class of vulnerability in WordPress plugins where developers neglect to implement proper nonce verification and role-based access control.

RemediationAI

Immediately deactivate and remove the My Album Gallery plugin from all affected WordPress installations until a patched version is available from the vendor or Ruhul Amin. Monitor the plugin's official repository and Patchstack for security updates to version 1.0.5 or later. If the gallery functionality is critical and the plugin is no longer maintained, evaluate alternative WordPress gallery plugins from actively maintained developers (such as Gutenberg Gallery, Elementor Gallery, or other established alternatives). As an interim mitigation, administrators can restrict direct access to the plugin's files via web server configuration (deny access to wp-content/plugins/my-album-gallery/) and implement file integrity monitoring to detect unauthorized file deletions. Additionally, enable WordPress security logging and review user activity logs for suspicious file operations.

Share

CVE-2026-22485 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy