Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Image Photo Gallery Final Tiles Grid: from n/a through 3.6.11.
AnalysisAI
Missing Authorization in the Image Photo Gallery Final Tiles Grid WordPress plugin (by WP Chill) allows low-privileged authenticated attackers to exploit incorrectly configured access control, resulting in unauthorized read access to restricted data. All plugin versions through 3.6.11 are affected per NVD and Patchstack. No public exploit identified at time of analysis, and the limited confidentiality impact (C:L) and authentication requirement (PR:L) constrain real-world blast radius, though the vulnerability remains a valid risk for multi-tenant or shared-access WordPress deployments.
Technical ContextAI
CWE-862 (Missing Authorization) describes a failure to verify that an authenticated user possesses the necessary permissions before executing a sensitive operation. In the WordPress plugin ecosystem, this typically manifests as AJAX handlers, REST API endpoints, or admin-ajax.php hooks that check only for user authentication (is_user_logged_in()) but not for capability or role (current_user_can()). The affected product is confirmed by CPE cpe:2.3:a:wp_chill:image_photo_gallery_final_tiles_grid:*:*:*:*:*:*:*:* as the 'Image Photo Gallery Final Tiles Grid' plugin developed by WP Chill, a gallery/portfolio plugin for WordPress. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N indicates the flaw is reachable over the network with low complexity and no user interaction required beyond holding a low-privileged account, and scope is unchanged with only a limited confidentiality impact and no integrity or availability impact.
RemediationAI
The primary remediation is to update the Image Photo Gallery Final Tiles Grid plugin beyond version 3.6.11 as soon as a patched release is available from WP Chill. No exact fix version is independently confirmed from the available data - the Patchstack advisory at the reference URL should be consulted to identify the specific remediated release version. Until a patch is confirmed and applied, compensating controls include restricting WordPress user registration to prevent untrusted users from obtaining low-privileged accounts (Settings > General > Membership), and auditing existing low-privileged users (subscribers, contributors) to remove any that are unnecessary. WordPress site owners using security plugins such as Wordfence or Patchstack's own firewall may be able to apply virtual patching rules that block exploitation of the specific misconfigured endpoint. Note that disabling the plugin entirely eliminates the attack surface but removes gallery functionality.
The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.6.0 does not validate and escape some of its shortcod
The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.5.3 does not sanitise and escape the Description fiel
Multiple XSS vulnerabilities in the Final Tiles Gallery plugin before 3.4.19 for WordPress allow remote attackers to inj
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugi
WP Chill Image Photo Gallery Final Tiles Grid plugin versions up to 3.6.11 allow authenticated high-privilege administra
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31095
GHSA-6vcv-q8rq-gc32