CVE-2025-15466
📋 TL;DR
The Image Photo Gallery Final Tiles Grid WordPress plugin has insufficient access controls on AJAX endpoints, allowing authenticated users with Contributor privileges or higher to manipulate other users' galleries. This includes viewing, modifying, deleting, and reassigning ownership of galleries created by administrators. All WordPress sites using this plugin up to version 3.6.9 are affected.
💻 Affected Systems
- Image Photo Gallery Final Tiles Grid WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious contributor could delete all galleries, modify content to inject malicious code, or take ownership of administrative galleries, potentially leading to site defacement or malware distribution.
Likely Case
Disgruntled or compromised contributor-level user modifies or deletes galleries belonging to other users, causing content loss and disruption.
If Mitigated
With proper user access reviews and monitoring, impact is limited to unauthorized gallery modifications that can be detected and rolled back.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in AJAX endpoints that lack proper capability checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.0
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3435746/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Image Photo Gallery Final Tiles Grid'. 4. Click 'Update Now' if available, or manually update to version 3.7.0+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Temporary plugin deactivation
allDisable the vulnerable plugin until patched version can be installed
wp plugin deactivate final-tiles-grid-gallery-lite
Restrict user roles
allTemporarily remove Contributor and higher roles from untrusted users
wp user remove-role <username> contributor
wp user remove-role <username> author
wp user remove-role <username> editor
🧯 If You Can't Patch
- Disable the Image Photo Gallery Final Tiles Grid plugin completely
- Implement strict user access controls and monitor gallery modifications
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'Image Photo Gallery Final Tiles Grid' version 3.6.9 or lowerCheck Version:
wp plugin get final-tiles-grid-gallery-lite --field=versionVerify Fix Applied:
Verify plugin version shows 3.7.0 or higher in WordPress admin plugins list📡 Detection & Monitoring
Log Indicators:
- Unusual gallery modification activity from non-admin users
- Multiple gallery delete/create events from single user session
- AJAX requests to /wp-admin/admin-ajax.php with action parameters like 'ftg_save_gallery', 'ftg_delete_gallery'
Network Indicators:
- POST requests to admin-ajax.php with gallery manipulation parameters from non-admin IPs
SIEM Query:
source="wordpress.log" AND ("ftg_save_gallery" OR "ftg_delete_gallery" OR "ftg_clone_gallery") AND user_role!="administrator"