CVE-2025-15466 is a vulnerability identified in the Image Photo Gallery Final Tiles Grid plugin for WordPress, affecting all versions up to and including 3.6.9. The root cause is a missing authorization check (CWE-862) on multiple AJAX endpoints, which handle gallery-related actions. These AJAX actions lack proper capability verification, allowing authenticated users with Contributor-level permissions or higher to bypass intended access controls. Consequently, such users can perform unauthorized operations on galleries created by other users, including administrators. These operations include viewing sensitive gallery data, creating new galleries, modifying existing ones, cloning galleries, deleting galleries, and reassigning gallery ownership. The vulnerability impacts the integrity and confidentiality of gallery data but does not affect availability. Exploitation requires authentication but no additional user interaction. The CVSS 3.1 base score is 5.4, reflecting medium severity due to the ease of exploitation by authenticated users and the scope of impact limited to gallery data within the plugin. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was published on January 19, 2026, with Wordfence as the assigner. This flaw highlights the importance of proper capability checks in WordPress plugins, especially those managing user-generated content and administrative data.

The vulnerability allows authenticated users with Contributor-level access or higher to manipulate galleries belonging to other users, including administrators. This can lead to unauthorized disclosure of gallery content, unauthorized modification or deletion of galleries, and reassignment of gallery ownership, potentially enabling privilege escalation or further unauthorized actions within the WordPress site. Organizations relying on this plugin risk data integrity breaches and loss of trust in content management. Attackers could disrupt website content, deface galleries, or leverage ownership reassignment to gain elevated privileges indirectly. While availability is not directly impacted, the integrity and confidentiality of gallery data are compromised. This may affect websites that rely heavily on the plugin for image gallery management, including blogs, portfolios, and e-commerce sites. The medium CVSS score reflects moderate risk but should not be underestimated given the potential for lateral movement within compromised WordPress environments.

1. Immediately restrict Contributor-level and higher user permissions to trusted users only until a patch is available. 2. Monitor and audit user actions related to gallery management to detect unauthorized modifications or ownership changes. 3. Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious AJAX requests targeting the vulnerable plugin endpoints. 4. Disable or remove the Image Photo Gallery Final Tiles Grid plugin if it is not essential to reduce attack surface. 5. Follow vendor announcements closely for official patches or updates and apply them promptly once released. 6. Consider applying manual code-level fixes by adding proper capability checks on all AJAX actions within the plugin if you have development resources. 7. Educate site administrators about the risks of granting Contributor or higher roles to untrusted users. 8. Regularly back up WordPress site data and galleries to enable recovery in case of unauthorized changes.