{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22485", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:23.294Z", "datePublished": "2026-03-25T16:14:22.760Z", "dateUpdated": "2026-03-26T16:50:47.458Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "my-album-gallery", "product": "My Album Gallery", "vendor": "Ruhul Amin", "versions": [{"lessThanOrEqual": "<= 1.0.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:04.911Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects My Album Gallery: from n/a through <= 1.0.4.</p>"}], "value": "Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Album Gallery: from n/a through <= 1.0.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:22.760Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/my-album-gallery/vulnerability/wordpress-my-album-gallery-plugin-1-0-4-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress My Album Gallery plugin <= 1.0.4 - Arbitrary File Deletion vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22485", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:45:26.599255Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:50:47.458Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22485", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:45:26.599255Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:32:42.317Z"}}], "cna": {"title": "WordPress My Album Gallery plugin <= 1.0.4 - Arbitrary File Deletion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Ruhul Amin", "product": "My Album Gallery", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.0.4"}], "packageName": "my-album-gallery", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:04.911Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/my-album-gallery/vulnerability/wordpress-my-album-gallery-plugin-1-0-4-arbitrary-file-deletion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Album Gallery: from n/a through <= 1.0.4.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects My Album Gallery: from n/a through <= 1.0.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:22.760Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22485", "state": "PUBLISHED", "dateUpdated": "2026-03-26T16:50:47.458Z", "dateReserved": "2026-01-07T13:44:23.294Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:22.760Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Album Gallery: from n/a through <= 1.0.4."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Ruhul Amin My Album Gallery my-album-gallery permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a My Album Gallery: desde n/a hasta &lt;= 1.0.4."}], "id": "CVE-2026-22485", "lastModified": "2026-03-26T17:16:27.323", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:30.940", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/my-album-gallery/vulnerability/wordpress-my-album-gallery-plugin-1-0-4-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.4]"}}], "enrichment": {"confidence": 85.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 85.0, "source": "matching"}]}, "original": {"product": "My Album Gallery", "source": "cna", "vendor": "Ruhul Amin"}, "product": "my_album_gallery", "vendor": "ruhul080"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:21:43.178053+00:00", "value": {"mitigation_remediation": ["Upgrade My Album Gallery to version\u202f1.0.5 or newer.", "Back up the entire WordPress site, including the uploads directory, before applying updates.", "Limit access to the plugin\u2019s deletion functionality by configuring WordPress user roles or adding server\u2011side rules that block unauthenticated requests.", "After the update, verify that the deletion endpoint no longer accepts unauthenticated requests and review server logs for any residual attempts."], "summary": {"action": "Patch", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "The problem exists in the Ruhul Amin My Album Gallery WordPress plugin, affecting all releases up to and including version\u202f1.0.4. Sites that have installed this plugin and expose its file\u2011management interface are at risk, regardless of the role the visitor holds unless further access control is manually applied.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows any user who can reach the WordPress site to send requests that delete arbitrary files from the server. Because the plugin fails to verify user permissions before performing a delete operation, an attacker can target media files, configuration files, or other critical assets. A successful exploitation results in data loss, service disruption, or compromise of the site\u2019s integrity.", "risk_and_exploitability": "While no CVSS score or EPSS value is publicly available, the ability to delete files without authentication makes the issue highly dangerous. The plugin does not require any elevated privileges beyond network access; a simple crafted HTTP request can trigger the deletion endpoint. The flaw is not yet listed in the CISA Known Exploited Vulnerabilities catalog, but the straightforward attack vector and lack of a patched release increase the urgency of remediation."}}}}, "created": "2026-03-25T21:35:27.644711+00:00", "updated": "2026-03-26T11:40:41.743868+00:00", "vendors": ["ruhul080", "ruhul080$PRODUCT$my_album_gallery", "wordpress", "wordpress$PRODUCT$wordpress"]}