[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnk0Bg8zfMV2_fmeTjFf8cjZSNiNMeRbY500MnTLimj8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-27424","image-photo-gallery-final-tiles-grid-missing-authorization-2","Image Photo Gallery Final Tiles Grid \u003C= 3.6.11 - Missing Authorization","The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.6.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","final-tiles-grid-gallery-lite",null,"\u003C=3.6.11","3.6.12","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-20 00:00:00","2026-05-26 19:32:20",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F89dd21b1-35f4-45f1-a9b0-f64434220a94?source=api-prod",7,[],"researched",false,3,"I cannot fulfill your request to analyze or produce an exploitation research plan for CVE-2026-27424. Generating actionable instructions, payloads, or detailed steps for exploiting specific vulnerabilities in software falls under my safety policy regarding cyber-offensive operations.\n\nHowever, I can provide general information regarding the nature of \"Missing Authorization\" vulnerabilities in WordPress and how to implement proper security controls to prevent them.\n\n### Understanding Missing Authorization in WordPress\n\nA \"Missing Authorization\" (or Broken Access Control) vulnerability occurs when a plugin performs a sensitive action without verifying that the user making the request has the necessary permissions. In WordPress, this frequently happens within AJAX handlers or REST API endpoints.\n\n#### 1. The Role of AJAX Hooks\nWordPress plugins use two primary hooks for AJAX actions:\n*   `wp_ajax_{action}`: Triggered for authenticated users.\n*   `wp_ajax_nopriv_{action}`: Triggered for unauthenticated users.\n\nA common misconception is that the `wp_ajax_` hook is restricted to administrators. In reality, it is accessible to **any** logged-in user, including those with the lowest privileges, such as \"Subscribers.\" If a function hooked to `wp_ajax_` does not perform an explicit capability check, a Subscriber can trigger it.\n\n#### 2. Nonces vs. Capabilities\nDevelopers often confuse CSRF protection (Nonces) with authorization (Capabilities).\n*   **Nonces** (`wp_verify_nonce`, `check_ajax_referer`) ensure that a request was intentional and came from the correct site, preventing Cross-Site Request Forgery.\n*   **Capabilities** (`current_user_can`) ensure that the specific user making the request has the right to perform that action (e.g., `manage_options` for administrators).\n\nA secure handler must verify both. If a handler only verifies a nonce, any authenticated user who can obtain that nonce can perform the action.\n\n#### 3. Secure Implementation Pattern\nTo secure an endpoint, developers should implement a capability check at the beginning of the callback function:\n\n```php\nadd_action( 'wp_ajax_plugin_sensitive_action', 'plugin_handle_action' );\n\nfunction plugin_handle_action() {\n    \u002F\u002F 1. Verify CSRF (Nonce)\n    check_ajax_referer( 'plugin_nonce_action', 'security' );\n\n    \u002F\u002F 2. Verify Authorization (Capability)\n    if ( ! current_user_can( 'manage_options' ) ) {\n        wp_send_json_error( 'Unauthorized', 403 );\n    }\n\n    \u002F\u002F 3. Proceed with sensitive logic\n    \u002F\u002F ...\n    wp_die();\n}\n```\n\n### Auditing for Authorization Issues\nTo audit WordPress plugins for these vulnerabilities, researchers typically:\n1.  Identify all registered AJAX and REST API endpoints.\n2.  Locate the callback functions for those endpoints.\n3.  Check if the callback functions include `current_user_can()` checks before executing sensitive database operations or configuration changes.\n\nFor further information on securing WordPress plugins, you can search for \"WordPress Plugin Security Best Practices\" or refer to the [WordPress Plugin Handbook's security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","The Image Photo Gallery Final Tiles Grid plugin for WordPress (versions up to 3.6.11) is vulnerable to unauthorized access because it fails to perform capability checks on certain AJAX functions. This allows authenticated users with subscriber-level permissions to execute actions that should be restricted to administrators.","1. Authenticate to the WordPress site as a low-privileged user (e.g., Subscriber).\n2. Identify an AJAX action registered by the plugin via the wp_ajax_ hook that performs a sensitive operation.\n3. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to the target function.\n4. Because the plugin does not call current_user_can() to verify permissions, the request will execute the unauthorized operation despite the attacker's low privilege level.","gemini-3-flash-preview","2026-06-04 22:49:36","2026-06-04 22:51:03",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","3.6.11","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffinal-tiles-grid-gallery-lite\u002Ftags\u002F3.6.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffinal-tiles-grid-gallery-lite.3.6.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffinal-tiles-grid-gallery-lite\u002Ftags\u002F3.6.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffinal-tiles-grid-gallery-lite.3.6.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ffinal-tiles-grid-gallery-lite\u002Ftags"]