CVE-2025-13693
Image Photo Gallery Final Tiles Grid <= 3.6.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'Custom Scripts' SettingThe Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom scripts' setting in all versions up to, and including, 3.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 6,997 live websites that are affected by CVE-2025-13693.
Affected Software
| Product |  Final Tiles Grid Gallery Lite |
| Category | Wordpress Plugins |
| Vulnerable Domains | 6,997 live websites (74% of Final Tiles Grid Gallery Lite install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 45 versions ( 94% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Dec 21, 2025
- Updated - Dec 22, 2025
Credits
- Athiwat Tiprasaharn (finder)
- Itthidej Aramsri (finder)
- Powpy (finder)
- Waris Damkham (finder)
- Varakorn Chanthasri (finder)
- Peerapat Samatathanyakorn (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-13693 United States | 1,437 websites |
 Germany | 906 websites |
 France | 510 websites |
 Italy | 493 websites |
 Poland | 357 websites |
 GB | 349 websites |
 Russia | 304 websites |
 Netherlands | 256 websites |
 Spain | 167 websites |
 Switzerland | 131 websites |
Website Distribution by TLD
Number of websites using CVE-2025-13693| .com | 2,598 websites |
| .de | 508 websites |
| .it | 325 websites |
| .org | 294 websites |
| .pl | 275 websites |
| .ru | 248 websites |
| .co.uk | 229 websites |
| .nl | 228 websites |
| .fr | 209 websites |
| .net | 118 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-13693
Top websites that are affected by CVE-2025-13693. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.ru | Russia | **,*** | |
| ********.***.br |  Brazil | **,*** | |
| **************.pl | Poland | ***,*** | |
| ******************.org | United States | ***,*** | |
| **************.com |  Belgium | ***,*** | |
| **********.com | United States | ***,*** | |
| ***********.com | United States | ***,*** | |
| ******.cz |  Czech Republic | ***,*** | |
| ****.com | United States | ***,*** | |
| ************.***.uk | GB | ***,*** |
FAQ
CVE-2025-13693 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Final Tiles Grid Gallery Lite
A total of 6,997 websites have been identified as vulnerable to CVE-2025-13693, based on global website indexing conducted by WebTechSurvey.
The Final Tiles Grid Gallery Lite is affected by the CVE-2025-13693 vulnerability.
Final Tiles Grid Gallery Lite versions up to and including 3.6.8 are vulnerable to CVE-2025-13693.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/625d2b09-a6b9-4c0c-8c36-3c565e688aac?source=cve
- https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/trunk/lib/gallery-class.php#L126
- https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/tags/3.6.6/lib/gallery-class.php#L126
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3418337%40final-tiles-grid-gallery-lite&new=3418337%40final-tiles-grid-gallery-lite&sfp_email=&sfph_mail=