CVE-2025-14455

MEDIUM

Image Photo Gallery Final Tiles Grid <3.6.7 - Auth Bypass

Title source: llm

Description

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.7. This is due to the plugin not properly verifying that a user is authorized to perform actions on gallery management functions. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete, modify, or clone galleries created by any user, including administrators.

References (5)

Core 5

Core References

Product

https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/tags/3.6.7/FinalTilesGalleryLite.php#L213

Product

https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/tags/3.6.7/FinalTilesGalleryLite.php#L528

Product

https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/tags/3.6.7/FinalTilesGalleryLite.php#L684

Product

https://plugins.trac.wordpress.org/changeset/3417363/final-tiles-grid-gallery-lite/trunk/FinalTilesGalleryLite.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/830663b6-0786-48c7-9ffd-ac3ba2bd3e0c?source=cve

Scores

CVSS v3 5.4

EPSS 0.0025

EPSS Percentile 16.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

wpchill/Image Photo Gallery Final Tiles Grid < 3.6.7

Published Dec 19, 2025

Tracked Since Feb 18, 2026