{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22485", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:23.294Z", "datePublished": "2026-03-25T16:14:22.760Z", "dateUpdated": "2026-04-28T17:19:44.647Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "my-album-gallery", "product": "My Album Gallery", "vendor": "Ruhul Amin", "versions": [{"lessThanOrEqual": "1.0.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:35.257Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects My Album Gallery: from n/a through <= 1.0.4.</p>"}], "value": "Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Album Gallery: from n/a through <= 1.0.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:45.498Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/my-album-gallery/vulnerability/wordpress-my-album-gallery-plugin-1-0-4-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress My Album Gallery plugin <= 1.0.4 - Arbitrary File Deletion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T16:45:26.599255Z", "id": "CVE-2026-22485", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:19:44.647Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22485", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:23.294Z", "datePublished": "2026-03-25T16:14:22.760Z", "dateUpdated": "2026-04-28T17:19:44.647Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "my-album-gallery", "product": "My Album Gallery", "vendor": "Ruhul Amin", "versions": [{"lessThanOrEqual": "1.0.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:35.257Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects My Album Gallery: from n/a through <= 1.0.4.</p>"}], "value": "Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Album Gallery: from n/a through <= 1.0.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:45.498Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/my-album-gallery/vulnerability/wordpress-my-album-gallery-plugin-1-0-4-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress My Album Gallery plugin <= 1.0.4 - Arbitrary File Deletion vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22485", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:45:26.599255Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:32:42.317Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Album Gallery: from n/a through <= 1.0.4."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Ruhul Amin My Album Gallery my-album-gallery permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a My Album Gallery: desde n/a hasta &lt;= 1.0.4."}], "id": "CVE-2026-22485", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:30.940", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/my-album-gallery/vulnerability/wordpress-my-album-gallery-plugin-1-0-4-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.4]"}}], "enrichment": {"confidence": 85.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 85.0, "source": "matching"}]}, "original": {"product": "My Album Gallery", "source": "cna", "vendor": "Ruhul Amin"}, "product": "my_album_gallery", "vendor": "ruhul080"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T18:50:50.927804+00:00", "value": {"mitigation_remediation": ["Update the My Album Gallery plugin to a version newer than 1.0.4 if available or apply any official patch provided by the developer.", "Disable or remove the plugin until a fixed version is released to prevent any accidental or malicious file deletion.", "Review and tighten WordPress role permissions so that only trusted administrators can invoke file deletion actions, and monitor server logs for any unauthorized attempts."], "summary": {"action": "Immediate Patch", "impact": "File Deletion"}, "threat_synthesis": {"affected_systems": "Ruhul Amin\u2019s My Album Gallery plugin for WordPress is affected from the initial release through version 1.0.4. Users operating any of these versions are at risk and should consider the plugin\u2019s status in their environment.", "description_and_impact": "The vulnerability originates from a missing authorization check in the My Album Gallery WordPress plugin, which allows a user to delete arbitrary files from the server. This flaw is classified as a missing authorization weakness and is identified as CWE-862. An attacker who can interact with the plugin\u2019s deletion functionality may remove critical configuration or media files, leading to data loss, project interruption, or potential disruption of site availability.", "risk_and_exploitability": "The CVSS base score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Likely exploitation would require an attacker to reach the plugin\u2019s file deletion endpoint, possibly through a user that has been granted unintended permissions or by an unauthenticated user if the plugin\u2019s access controls are misconfigured. The exact attack vector is inferred from the description of an 'incorrectly configured access control security level'."}}}}, "created": "2026-03-25T21:35:27.644711+00:00", "updated": "2026-03-27T09:46:54.570550+00:00", "vendors": ["ruhul080", "ruhul080$PRODUCT$my_album_gallery", "wordpress", "wordpress$PRODUCT$wordpress"]}