Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through <= 3.6.11.
AnalysisAI
WP Chill Image Photo Gallery Final Tiles Grid plugin versions up to 3.6.11 allow authenticated high-privilege administrators to modify image gallery settings through improper access control checks on user-supplied parameters, enabling limited integrity compromise of gallery configurations. The vulnerability has an extremely low EPSS score (0.02%, 4th percentile) and requires high-privilege credentials (PR:H), significantly limiting real-world exploitability despite network accessibility.
Technical ContextAI
The vulnerability stems from CWE-639 (Authorization Using User-Controlled Key), a weakness where access control decisions are based on user-supplied input rather than server-side authorization checks. In this WordPress plugin context, the vulnerability likely involves gallery or image settings endpoints that accept user-controlled identifiers or parameters to determine which resources an administrator can modify, without properly validating that the authenticated user should have access to those specific resources. The plugin's access control logic fails to enforce proper authorization boundaries between different administrator scopes or gallery ownership contexts.
RemediationAI
Update WP Chill Image Photo Gallery Final Tiles Grid plugin to a version newer than 3.6.11 when available. Site administrators should access the WordPress plugin dashboard, locate 'Image Photo Gallery Final Tiles Grid', and click 'Update' if a patched version is released. As an immediate interim measure on multi-administrator sites where privilege separation is critical, restrict WP-Admin gallery settings access to a single trusted administrator account and audit recent gallery configuration changes. Review the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/final-tiles-grid-gallery-lite/vulnerability/wordpress-image-photo-gallery-final-tiles-grid-plugin-3-6-11-insecure-direct-object-references-idor-vulnerability) for vendor-specific patch timeline.
The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.6.0 does not validate and escape some of its shortcod
The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.5.3 does not sanitise and escape the Description fiel
Multiple XSS vulnerabilities in the Final Tiles Gallery plugin before 3.4.19 for WordPress allow remote attackers to inj
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugi
Missing Authorization in the Image Photo Gallery Final Tiles Grid WordPress plugin (by WP Chill) allows low-privileged a
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20177
GHSA-3677-p5q3-vx7h