{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22345", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:19.919Z", "datePublished": "2026-02-20T15:46:59.892Z", "dateUpdated": "2026-04-28T16:47:03.594Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "new-image-gallery", "product": "Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery", "vendor": "A WP Life", "versions": [{"changes": [{"at": "1.6.1", "status": "unaffected"}], "lessThanOrEqual": "1.6.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:57.359Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in A WP Life Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery new-image-gallery allows Object Injection.<p>This issue affects Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery: from n/a through <= 1.6.0.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in A WP Life Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery new-image-gallery allows Object Injection.This issue affects Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery: from n/a through <= 1.6.0."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:41.295Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/new-image-gallery/vulnerability/wordpress-image-gallery-lightbox-gallery-responsive-photo-gallery-masonry-gallery-plugin-1-6-0-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery plugin <= 1.6.0 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T21:07:08.112879Z", "id": "CVE-2026-22345", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:47:03.594Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22345", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:19.919Z", "datePublished": "2026-02-20T15:46:59.892Z", "dateUpdated": "2026-04-28T16:47:03.594Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "new-image-gallery", "product": "Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery", "vendor": "A WP Life", "versions": [{"changes": [{"at": "1.6.1", "status": "unaffected"}], "lessThanOrEqual": "1.6.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:57.359Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in A WP Life Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery new-image-gallery allows Object Injection.<p>This issue affects Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery: from n/a through <= 1.6.0.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in A WP Life Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery new-image-gallery allows Object Injection.This issue affects Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery: from n/a through <= 1.6.0."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:41.295Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/new-image-gallery/vulnerability/wordpress-image-gallery-lightbox-gallery-responsive-photo-gallery-masonry-gallery-plugin-1-6-0-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery plugin <= 1.6.0 - PHP Object Injection vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22345", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T21:07:08.112879Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T21:07:09.572Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in A WP Life Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery new-image-gallery allows Object Injection.This issue affects Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery: from n/a through <= 1.6.0."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en A WP Life Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery new-image-gallery permite la inyecci\u00f3n de objetos. Este problema afecta a Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery: desde n/a hasta &lt;= 1.6.0."}], "id": "CVE-2026-22345", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:33.497", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/new-image-gallery/vulnerability/wordpress-image-gallery-lightbox-gallery-responsive-photo-gallery-masonry-gallery-plugin-1-6-0-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery", "source": "cna", "vendor": "A WP Life"}, "product": "image_gallery_\u2013_lightbox_gallery,_responsive_photo_gallery,_masonry_gallery", "vendor": "a_wp_life"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T16:45:02.470304+00:00", "value": {"mitigation_remediation": ["Update the A WP Life Image Gallery plugin to any released version newer than 1.6.0 that contains the fix for the deserialization flaw.", "If an update is unavailable or the site cannot accommodate it, deactivate or completely remove the plugin to eliminate the vulnerable code paths.", "Configure the site to restrict upload and submission capabilities so that only trusted administrators can supply data to the plugin, and implement a web\u2011application firewall rule that blocks requests containing PHP serialized objects targeting the plugin\u2019s endpoints."], "summary": {"action": "Immediate Patch", "impact": "PHP Object Injection via unserialization"}, "threat_synthesis": {"affected_systems": "Any site running the A WP Life Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery plugin, version 1.6.0 or older is affected. These releases are vulnerable to object injection through the plugin\u2019s deserialization logic.", "description_and_impact": "The WordPress Image Gallery \u2013 Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery plugin contains a PHP deserialization flaw that permits untrusted data to be deserialized, enabling an attacker to instantiate arbitrary PHP objects. This object injection can lead to unauthorized code execution, data manipulation, and compromise of confidentiality, integrity, and availability. The vulnerability is classified as CWE-502.", "risk_and_exploitability": "The CVSS base score of 8.8 reflects high severity, while the EPSS score of less than 1 percent indicates a currently low exploitation probability; the problem is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires that an attacker can submit crafted serialized data to the plugin\u2019s deserialization entry points, which is plausible for a role with write access or through exposed endpoints. No publicly documented exploits exist yet, but the risk remains due to the nature of the weakness and potential for future exploitation."}}}}, "created": "2026-02-23T14:36:45.254427+00:00", "updated": "2026-04-16T16:45:25.962175+00:00", "vendors": ["a_wp_life", "a_wp_life$PRODUCT$image_gallery_\u2013_lightbox_gallery,_responsive_photo_gallery,_masonry_gallery", "wordpress", "wordpress$PRODUCT$wordpress"]}