Skip to main content

Image Photo Gallery Final Tiles Grid

6 CVEs product

Monthly

CVE-2026-27424 MEDIUM This Month

Missing Authorization in the Image Photo Gallery Final Tiles Grid WordPress plugin (by WP Chill) allows low-privileged authenticated attackers to exploit incorrectly configured access control, resulting in unauthorized read access to restricted data. All plugin versions through 3.6.11 are affected per NVD and Patchstack. No public exploit identified at time of analysis, and the limited confidentiality impact (C:L) and authentication requirement (PR:L) constrain real-world blast radius, though the vulnerability remains a valid risk for multi-tenant or shared-access WordPress deployments.

Authentication Bypass Image Photo Gallery Final Tiles Grid
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-39510 LOW Monitor

WP Chill Image Photo Gallery Final Tiles Grid plugin versions up to 3.6.11 allow authenticated high-privilege administrators to modify image gallery settings through improper access control checks on user-supplied parameters, enabling limited integrity compromise of gallery configurations. The vulnerability has an extremely low EPSS score (0.02%, 4th percentile) and requires high-privilege credentials (PR:H), significantly limiting real-world exploitability despite network accessibility.

Authentication Bypass Image Photo Gallery Final Tiles Grid
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2024-6261 MEDIUM PATCH This Month

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'FinalTilesGallery' shortcode in all versions up to, and including, 3.6.0. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Image Photo Gallery Final Tiles Grid
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-3710 MEDIUM POC This Month

The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Image Photo Gallery Final Tiles Grid
NVD WPScan
CVSS 3.1
6.8
EPSS
0.5%
CVE-2022-0186 MEDIUM POC This Month

The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.5.3 does not sanitise and escape the Description field when editing a gallery, allowing users with a role as low as contributor to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Image Photo Gallery Final Tiles Grid
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2020-14962 MEDIUM POC This Month

Multiple XSS vulnerabilities in the Final Tiles Gallery plugin before 3.4.19 for WordPress allow remote attackers to inject arbitrary web script or HTML via the Title (aka imageTitle) or Caption (aka. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress PHP Image Photo Gallery Final Tiles Grid
NVD
CVSS 3.1
5.4
EPSS
0.9%
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing Authorization in the Image Photo Gallery Final Tiles Grid WordPress plugin (by WP Chill) allows low-privileged authenticated attackers to exploit incorrectly configured access control, resulting in unauthorized read access to restricted data. All plugin versions through 3.6.11 are affected per NVD and Patchstack. No public exploit identified at time of analysis, and the limited confidentiality impact (C:L) and authentication requirement (PR:L) constrain real-world blast radius, though the vulnerability remains a valid risk for multi-tenant or shared-access WordPress deployments.

Authentication Bypass Image Photo Gallery Final Tiles Grid
NVD
EPSS 0% CVSS 2.7
LOW Monitor

WP Chill Image Photo Gallery Final Tiles Grid plugin versions up to 3.6.11 allow authenticated high-privilege administrators to modify image gallery settings through improper access control checks on user-supplied parameters, enabling limited integrity compromise of gallery configurations. The vulnerability has an extremely low EPSS score (0.02%, 4th percentile) and requires high-privilege credentials (PR:H), significantly limiting real-world exploitability despite network accessibility.

Authentication Bypass Image Photo Gallery Final Tiles Grid
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'FinalTilesGallery' shortcode in all versions up to, and including, 3.6.0. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Image Photo Gallery Final Tiles Grid
NVD
EPSS 0% CVSS 6.8
MEDIUM POC This Month

The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Image Photo Gallery Final Tiles Grid
NVD WPScan
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.5.3 does not sanitise and escape the Description field when editing a gallery, allowing users with a role as low as contributor to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Image Photo Gallery Final Tiles Grid
NVD WPScan
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Multiple XSS vulnerabilities in the Final Tiles Gallery plugin before 3.4.19 for WordPress allow remote attackers to inject arbitrary web script or HTML via the Title (aka imageTitle) or Caption (aka. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress PHP +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy