Skip to main content

Image Photo Gallery Final Tiles Grid EUVDEUVD-2026-20177

| CVE-2026-39510 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-08 Patchstack GHSA-3677-p5q3-vx7h
2.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:40 vuln.today
CVSS changed
Apr 13, 2026 - 17:22 NVD
2.7 (LOW)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20177
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through <= 3.6.11.

AnalysisAI

WP Chill Image Photo Gallery Final Tiles Grid plugin versions up to 3.6.11 allow authenticated high-privilege administrators to modify image gallery settings through improper access control checks on user-supplied parameters, enabling limited integrity compromise of gallery configurations. The vulnerability has an extremely low EPSS score (0.02%, 4th percentile) and requires high-privilege credentials (PR:H), significantly limiting real-world exploitability despite network accessibility.

Technical ContextAI

The vulnerability stems from CWE-639 (Authorization Using User-Controlled Key), a weakness where access control decisions are based on user-supplied input rather than server-side authorization checks. In this WordPress plugin context, the vulnerability likely involves gallery or image settings endpoints that accept user-controlled identifiers or parameters to determine which resources an administrator can modify, without properly validating that the authenticated user should have access to those specific resources. The plugin's access control logic fails to enforce proper authorization boundaries between different administrator scopes or gallery ownership contexts.

RemediationAI

Update WP Chill Image Photo Gallery Final Tiles Grid plugin to a version newer than 3.6.11 when available. Site administrators should access the WordPress plugin dashboard, locate 'Image Photo Gallery Final Tiles Grid', and click 'Update' if a patched version is released. As an immediate interim measure on multi-administrator sites where privilege separation is critical, restrict WP-Admin gallery settings access to a single trusted administrator account and audit recent gallery configuration changes. Review the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/final-tiles-grid-gallery-lite/vulnerability/wordpress-image-photo-gallery-final-tiles-grid-plugin-3-6-11-insecure-direct-object-references-idor-vulnerability) for vendor-specific patch timeline.

Share

EUVD-2026-20177 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy