PatchSiren cyber security CVE debrief
CVE-2026-27424 WP Chill CVE debrief
CVE-2026-27424 is a missing-authorization / broken-access-control issue reported for the WordPress Image Photo Gallery Final Tiles Grid plugin through version 3.6.11. The NVD record maps it to CWE-862 and assigns a CVSS 3.1 score of 4.3 (Medium), with a network-reachable, low-privilege attack path and limited confidentiality impact in the supplied vector. The source data points to a Patchstack advisory for the affected plugin and version range.
- Vendor
- WP Chill
- Product
- Image Photo Gallery Final Tiles Grid
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
WordPress site operators who use Image Photo Gallery Final Tiles Grid, especially administrators responsible for role-based access control, gallery management, and plugin patching. Sites that allow lower-privileged users to interact with the plugin’s admin or content workflows should review exposure promptly.
Technical summary
The supplied record describes a missing authorization weakness in Image Photo Gallery Final Tiles Grid, affecting versions from n/a through 3.6.11. NVD tags the issue as CWE-862 and lists CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating the issue is reachable over the network and requires low privileges, with limited confidentiality impact in the published vector. The source metadata also marks the NVD vulnerability status as Deferred at the time of the record.
Defensive priority
Medium. The score is not critical, but authorization flaws in WordPress plugins can still expose data or permit unintended actions if the plugin is installed and exposed to low-privileged roles. Prioritize this if the plugin is present on production sites or if non-admin users can interact with its workflows.
Recommended defensive actions
- Inventory WordPress sites to confirm whether Image Photo Gallery Final Tiles Grid is installed and determine the exact version in use.
- Review the Patchstack advisory and NVD record for vendor remediation guidance before making version changes.
- Restrict access to plugin-related admin functions and verify that lower-privileged roles cannot reach actions intended for administrators.
- Apply vendor fixes or remove the plugin if no patch is available and the plugin is not required.
- Check logs and recent admin activity for unexpected gallery or plugin-setting changes.
- Reassess any custom role/capability mappings around this plugin to ensure authorization checks are enforced correctly.
Evidence notes
This debrief is based only on the supplied NVD record and the linked Patchstack advisory reference. The source data names the product as Image Photo Gallery Final Tiles Grid and cites a broken-access-control / missing-authorization issue through version 3.6.11. The vendor identity in the supplied metadata is not fully resolved, so the debrief avoids stronger vendor attribution than the source corpus supports. No KEV entry is included in the supplied data.
Official resources
-
CVE-2026-27424 CVE record
CVE.org
-
CVE-2026-27424 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
Publicly listed on 2026-05-20T13:16:16.897Z UTC and modified the same day at 2026-05-20T13:54:54.890Z UTC. No CISA KEV entry is included in the supplied data.