Skip to main content

Final Tiles Grid CVE-2026-27424

| EUVDEUVD-2026-31095 MEDIUM
Missing Authorization (CWE-862)
2026-05-20 Patchstack GHSA-6vcv-q8rq-gc32
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 13:35 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Image Photo Gallery Final Tiles Grid: from n/a through 3.6.11.

AnalysisAI

Missing Authorization in the Image Photo Gallery Final Tiles Grid WordPress plugin (by WP Chill) allows low-privileged authenticated attackers to exploit incorrectly configured access control, resulting in unauthorized read access to restricted data. All plugin versions through 3.6.11 are affected per NVD and Patchstack. No public exploit identified at time of analysis, and the limited confidentiality impact (C:L) and authentication requirement (PR:L) constrain real-world blast radius, though the vulnerability remains a valid risk for multi-tenant or shared-access WordPress deployments.

Technical ContextAI

CWE-862 (Missing Authorization) describes a failure to verify that an authenticated user possesses the necessary permissions before executing a sensitive operation. In the WordPress plugin ecosystem, this typically manifests as AJAX handlers, REST API endpoints, or admin-ajax.php hooks that check only for user authentication (is_user_logged_in()) but not for capability or role (current_user_can()). The affected product is confirmed by CPE cpe:2.3:a:wp_chill:image_photo_gallery_final_tiles_grid:*:*:*:*:*:*:*:* as the 'Image Photo Gallery Final Tiles Grid' plugin developed by WP Chill, a gallery/portfolio plugin for WordPress. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N indicates the flaw is reachable over the network with low complexity and no user interaction required beyond holding a low-privileged account, and scope is unchanged with only a limited confidentiality impact and no integrity or availability impact.

RemediationAI

The primary remediation is to update the Image Photo Gallery Final Tiles Grid plugin beyond version 3.6.11 as soon as a patched release is available from WP Chill. No exact fix version is independently confirmed from the available data - the Patchstack advisory at the reference URL should be consulted to identify the specific remediated release version. Until a patch is confirmed and applied, compensating controls include restricting WordPress user registration to prevent untrusted users from obtaining low-privileged accounts (Settings > General > Membership), and auditing existing low-privileged users (subscribers, contributors) to remove any that are unnecessary. WordPress site owners using security plugins such as Wordfence or Patchstack's own firewall may be able to apply virtual patching rules that block exploitation of the specific misconfigured endpoint. Note that disabling the plugin entirely eliminates the attack surface but removes gallery functionality.

Share

CVE-2026-27424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy