CVE-2025-15466
Image Photo Gallery Final Tiles Grid <= 3.6.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Gallery ManagementThe Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators.
We have discovered 7,992 live websites that are affected by CVE-2025-15466.
Affected Software
| Product |  Final Tiles Grid Gallery Lite |
| Category | Wordpress Plugins |
| Vulnerable Domains | 7,992 live websites (85% of Final Tiles Grid Gallery Lite install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 46 versions ( 96% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Jan 19, 2026
- Updated - Jan 20, 2026
Credits
- Mohammad Amin Hajian (finder)
- Pouria Shahba (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-15466 United States | 1,745 websites |
 Germany | 1,029 websites |
 France | 585 websites |
 Italy | 534 websites |
 GB | 418 websites |
 Poland | 394 websites |
 Russia | 318 websites |
 Netherlands | 306 websites |
 Spain | 182 websites |
 Switzerland | 154 websites |
Website Distribution by TLD
Number of websites using CVE-2025-15466| .com | 3,011 websites |
| .de | 583 websites |
| .it | 349 websites |
| .org | 343 websites |
| .pl | 305 websites |
| .co.uk | 287 websites |
| .nl | 273 websites |
| .ru | 258 websites |
| .fr | 252 websites |
| .net | 137 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-15466
Top websites that are affected by CVE-2025-15466. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.com | United States | **,*** | |
| ****.ru | Russia | **,*** | |
| ********.***.br |  Brazil | **,*** | |
| **************.pl | Poland | ***,*** | |
| ******************.org | United States | ***,*** | |
| **************.com |  Belgium | ***,*** | |
| **********.com | United States | ***,*** | |
| ***********.com | United States | ***,*** | |
| ******.cz |  Czech Republic | ***,*** | |
| ****.com | United States | ***,*** |
FAQ
CVE-2025-15466 is Missing Authorization in Final Tiles Grid Gallery Lite
A total of 7,992 websites have been identified as vulnerable to CVE-2025-15466, based on global website indexing conducted by WebTechSurvey.
The Final Tiles Grid Gallery Lite is affected by the CVE-2025-15466 vulnerability.
Final Tiles Grid Gallery Lite versions up to and including 3.6.9 are vulnerable to CVE-2025-15466.