Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Album Gallery: from n/a through <= 1.0.4.
AnalysisAI
Improper access control in My Album Gallery versions up to 1.0.4 enables authenticated users to modify gallery data they should not have permission to access. An attacker with valid credentials can exploit this misconfiguration to alter or manipulate album content without proper authorization checks.
Technical ContextAI
The vulnerability resides in the Ruhul Amin My Album Gallery WordPress plugin, identified via CPE cpe:2.3:a:ruhul_amin:my_album_gallery:*:*:*:*:*:*:*:*. The root cause is classified under CWE-862 (Missing Authorization), which describes situations where a software system fails to properly enforce access control restrictions before allowing users to access or modify resources. In WordPress plugin architecture, this typically occurs when capability checks (using functions like current_user_can()) are absent or improperly implemented in action hooks and AJAX handlers. The plugin fails to validate user permissions at critical control points, allowing unauthenticated or low-privilege users to execute administrative operations such as file deletion. This is a common class of vulnerability in WordPress plugins where developers neglect to implement proper nonce verification and role-based access control.
RemediationAI
Immediately deactivate and remove the My Album Gallery plugin from all affected WordPress installations until a patched version is available from the vendor or Ruhul Amin. Monitor the plugin's official repository and Patchstack for security updates to version 1.0.5 or later. If the gallery functionality is critical and the plugin is no longer maintained, evaluate alternative WordPress gallery plugins from actively maintained developers (such as Gutenberg Gallery, Elementor Gallery, or other established alternatives). As an interim mitigation, administrators can restrict direct access to the plugin's files via web server configuration (deny access to wp-content/plugins/my-album-gallery/) and implement file integrity monitoring to detect unauthorized file deletions. Additionally, enable WordPress security logging and review user activity logs for suspicious file operations.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15491
GHSA-pj75-vx8x-rmq9