The Image Photo Gallery Final Tiles Grid plugin for WordPress lacks capability checks on several AJAX endpoints, allowing an authenticated user with at least Contributor rights to view, create, modify, clone, delete, and reassign galleries owned by other users, including administrators. This defect permits a user to change or remove content they should not be able to, violating confidentiality, integrity, and potentially availability of photo galleries. The weakness is a missing authorization check, identified as CWE-862.

All WordPress installations that have the Image Photo Gallery Final Tiles Grid plugin installed in a version up to and including 3.6.9 are affected. This includes any host that relies on this plugin for gallery functionality. No specific server or operating system is required beyond a WordPress site using the vulnerable plugin version.

The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1 % suggests a low probability that this vulnerability is actively exploited in the wild, and it is not listed in the CISA KEV catalog. Nevertheless, because the attack vector requires only authenticated access with Contributor-level permissions—which are common on many sites—an attacker can relatively easily manipulate gallery data once credentials are known or obtained. The vulnerability can be exploited simply by sending crafted AJAX requests from the client side, so network visibility or additional defenses outside WordPress are not required.