Description
Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Album Gallery: from n/a through <= 1.0.4.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: File Deletion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability originates from a missing authorization check in the My Album Gallery WordPress plugin, which allows a user to delete arbitrary files from the server. This flaw is classified as a missing authorization weakness and is identified as CWE-862. An attacker who can interact with the plugin’s deletion functionality may remove critical configuration or media files, leading to data loss, project interruption, or potential disruption of site availability.

Affected Systems

Ruhul Amin’s My Album Gallery plugin for WordPress is affected from the initial release through version 1.0.4. Users operating any of these versions are at risk and should consider the plugin’s status in their environment.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Likely exploitation would require an attacker to reach the plugin’s file deletion endpoint, possibly through a user that has been granted unintended permissions or by an unauthenticated user if the plugin’s access controls are misconfigured. The exact attack vector is inferred from the description of an 'incorrectly configured access control security level'.

Generated by OpenCVE AI on March 26, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the My Album Gallery plugin to a version newer than 1.0.4 if available or apply any official patch provided by the developer.
  • Disable or remove the plugin until a fixed version is released to prevent any accidental or malicious file deletion.
  • Review and tighten WordPress role permissions so that only trusted administrators can invoke file deletion actions, and monitor server logs for any unauthorized attempts.

Generated by OpenCVE AI on March 26, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ruhul080
Ruhul080 my Album Gallery
Wordpress
Wordpress wordpress
Vendors & Products Ruhul080
Ruhul080 my Album Gallery
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Album Gallery: from n/a through <= 1.0.4.
Title WordPress My Album Gallery plugin <= 1.0.4 - Arbitrary File Deletion vulnerability
Weaknesses CWE-862
References

Subscriptions

Ruhul080 My Album Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T16:50:47.458Z

Reserved: 2026-01-07T13:44:23.294Z

Link: CVE-2026-22485

cve-icon Vulnrichment

Updated: 2026-03-26T16:32:42.317Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:30.940

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-22485

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:54Z

Weaknesses