Description
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.7. This is due to the plugin not properly verifying that a user is authorized to perform actions on gallery management functions. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete, modify, or clone galleries created by any user, including administrators.
Published: 2025-12-19
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized gallery modification and deletion
Action: Patch
AI Analysis

Impact

The WordPress plugin Image Photo Gallery Final Tiles Grid contains an authorization bypass that allows any authenticated user with Contributor or higher privileges to delete, modify, or clone galleries created by any user, including administrators, thereby compromising the integrity of gallery content.

Affected Systems

All installations of the Image Photo Gallery Final Tiles Grid plugin up to and including version 3.6.7, regardless of minor or patch updates within that range, are affected.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, while the EPSS score of less than 1% reflects a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must first authenticate to the WordPress site with a Contributor or higher role, then use the normal gallery management interface to carry out deletion, modification, or cloning actions. No remote code execution or data exfiltration beyond gallery manipulation is possible from this flaw.

Generated by OpenCVE AI on April 21, 2026 at 17:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Image Photo Gallery Final Tiles Grid plugin to the latest available version (3.6.8 or newer) to remove the authorization flaw.
  • Reconfigure WordPress user roles so that Contributor and other non‑admin accounts do not have gallery management permissions, or remove those capabilities using a role editor plugin.
  • Audit existing galleries for unauthorized modifications or deletions, and restore affected galleries from backups if necessary.

Generated by OpenCVE AI on April 21, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpchill
Wpchill image Photo Gallery Final Tiles Grid
Vendors & Products Wordpress
Wordpress wordpress
Wpchill
Wpchill image Photo Gallery Final Tiles Grid

Fri, 19 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 19 Dec 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.7. This is due to the plugin not properly verifying that a user is authorized to perform actions on gallery management functions. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete, modify, or clone galleries created by any user, including administrators.
Title Image Photo Gallery Final Tiles Grid <= 3.6.7 - Missing Authorization to Authenticated (Contributor+) Gallery Management
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpchill Image Photo Gallery Final Tiles Grid
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:05.427Z

Reserved: 2025-12-10T14:47:25.710Z

Link: CVE-2025-14455

cve-icon Vulnrichment

Updated: 2025-12-19T14:24:24.743Z

cve-icon NVD

Status : Deferred

Published: 2025-12-19T10:15:48.017

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14455

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses