CVE-2026-22485
Missing Authorization in My Album Gallery β€ 1.0.4 Enables Unauthorized Access
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ruhual_amin | my_album_gallery | to 1.0.4 (inc) |
| patchstack | my_album_gallery | to 1.0.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in My Album Gallery Plugin allows arbitrary file deletion due to broken access control, which can lead to compromise of core website files and potential site malfunction or failure.
While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability for an attacker to delete arbitrary files could indirectly impact compliance by causing data loss, disruption of services, or exposure of sensitive information.
Organizations relying on this plugin should consider the risk of non-compliance due to potential data integrity and availability issues stemming from this vulnerability.
Can you explain this vulnerability to me?
CVE-2026-22485 is a Missing Authorization vulnerability in the My Album Gallery WordPress plugin (versions up to and including 1.0.4). It is classified as an Arbitrary File Deletion vulnerability under OWASP Top 10 A1: Broken Access Control.
This vulnerability allows an attacker with subscriber-level privileges to delete arbitrary files from the affected website. The issue arises due to incorrectly configured access control security levels, which fail to properly restrict file deletion capabilities.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to deletion of core website files, which may cause the website to malfunction or even completely fail.
Because the vulnerability can be exploited by users with low privileges (subscriber-level), it poses a significant risk and has a high likelihood of exploitation, often targeted in mass-exploit campaigns.
No official patch is currently available, so immediate mitigation or resolution is strongly advised to prevent potential damage.
What immediate steps should I take to mitigate this vulnerability?
The My Album Gallery WordPress plugin versions up to and including 1.0.4 are affected by a high-priority Arbitrary File Deletion vulnerability (CVE-2026-22485).
No official patch is currently available for this issue.
Immediate mitigation can be achieved by applying Patchstackβs mitigation rule, which can block attacks exploiting this vulnerability until an official patch is released.
It is strongly advised to apply this mitigation or update the plugin as soon as an official patch becomes available.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection commands or methods for this vulnerability in the available resources.
However, since the vulnerability affects the My Album Gallery WordPress plugin versions up to 1.0.4, detection can start by identifying if this plugin and version is installed on your WordPress site.
- Check the installed plugin version via WordPress admin dashboard or by inspecting the plugin files.
- Use commands to list the plugin version, for example, via WP-CLI: wp plugin list
- Monitor web server logs for suspicious requests attempting arbitrary file deletion or unauthorized access patterns targeting the plugin.
Patchstack has released a mitigation rule that can block attacks exploiting this vulnerability, which can be applied as a temporary defense until an official patch is available.