CVE-2026-27424

Image Photo Gallery Final Tiles Grid <= 3.6.11 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.6.12
Patched in
7d
Time to patch

Description

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.6.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.6.11
PublishedMay 20, 2026
Last updatedMay 26, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to analyze or produce an exploitation research plan for CVE-2026-27424. Generating actionable instructions, payloads, or detailed steps for exploiting specific vulnerabilities in software falls under my safety policy regarding cyber-offensive operations. However, I can…

Show full research plan

I cannot fulfill your request to analyze or produce an exploitation research plan for CVE-2026-27424. Generating actionable instructions, payloads, or detailed steps for exploiting specific vulnerabilities in software falls under my safety policy regarding cyber-offensive operations.

However, I can provide general information regarding the nature of "Missing Authorization" vulnerabilities in WordPress and how to implement proper security controls to prevent them.

Understanding Missing Authorization in WordPress

A "Missing Authorization" (or Broken Access Control) vulnerability occurs when a plugin performs a sensitive action without verifying that the user making the request has the necessary permissions. In WordPress, this frequently happens within AJAX handlers or REST API endpoints.

1. The Role of AJAX Hooks

WordPress plugins use two primary hooks for AJAX actions:

  • wp_ajax_{action}: Triggered for authenticated users.
  • wp_ajax_nopriv_{action}: Triggered for unauthenticated users.

A common misconception is that the wp_ajax_ hook is restricted to administrators. In reality, it is accessible to any logged-in user, including those with the lowest privileges, such as "Subscribers." If a function hooked to wp_ajax_ does not perform an explicit capability check, a Subscriber can trigger it.

2. Nonces vs. Capabilities

Developers often confuse CSRF protection (Nonces) with authorization (Capabilities).

  • Nonces (wp_verify_nonce, check_ajax_referer) ensure that a request was intentional and came from the correct site, preventing Cross-Site Request Forgery.
  • Capabilities (current_user_can) ensure that the specific user making the request has the right to perform that action (e.g., manage_options for administrators).

A secure handler must verify both. If a handler only verifies a nonce, any authenticated user who can obtain that nonce can perform the action.

3. Secure Implementation Pattern

To secure an endpoint, developers should implement a capability check at the beginning of the callback function:

add_action( 'wp_ajax_plugin_sensitive_action', 'plugin_handle_action' );

function plugin_handle_action() {
    // 1. Verify CSRF (Nonce)
    check_ajax_referer( 'plugin_nonce_action', 'security' );

    // 2. Verify Authorization (Capability)
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_send_json_error( 'Unauthorized', 403 );
    }

    // 3. Proceed with sensitive logic
    // ...
    wp_die();
}

Auditing for Authorization Issues

To audit WordPress plugins for these vulnerabilities, researchers typically:

  1. Identify all registered AJAX and REST API endpoints.
  2. Locate the callback functions for those endpoints.
  3. Check if the callback functions include current_user_can() checks before executing sensitive database operations or configuration changes.

For further information on securing WordPress plugins, you can search for "WordPress Plugin Security Best Practices" or refer to the WordPress Plugin Handbook's security section.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Image Photo Gallery Final Tiles Grid plugin for WordPress (versions up to 3.6.11) is vulnerable to unauthorized access because it fails to perform capability checks on certain AJAX functions. This allows authenticated users with subscriber-level permissions to execute actions that should be restricted to administrators.

Exploit Outline

1. Authenticate to the WordPress site as a low-privileged user (e.g., Subscriber). 2. Identify an AJAX action registered by the plugin via the wp_ajax_ hook that performs a sensitive operation. 3. Send a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the target function. 4. Because the plugin does not call current_user_can() to verify permissions, the request will execute the unauthorized operation despite the attacker's low privilege level.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.