CVE-2025-15466
Unauthorized Access in Image Photo Gallery Plugin via Missing Capability Checks
Publication date: 2026-01-20
Last updated on: 2026-01-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| final_tiles_grid_gallery | final_tiles_grid_gallery | to 3.6.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Image Photo Gallery Final Tiles Grid plugin for WordPress, where multiple AJAX actions lack proper capability checks. As a result, authenticated users with Contributor-level access or higher can unauthorizedly view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators. [1]
How can this vulnerability impact me? :
The vulnerability allows attackers with Contributor-level access or above to manipulate galleries created by other users, including administrators. This can lead to unauthorized data modification, data exposure, and potential disruption of gallery content management within the WordPress site. [1]
What immediate steps should I take to mitigate this vulnerability?
Update the Image Photo Gallery Final Tiles Grid plugin for WordPress to version 3.6.10 or later, which contains the fix for the vulnerability by adding the missing capability checks on AJAX actions. [1]