– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-25375:
The Image Photo Gallery Final Tiles Grid WordPress plugin version 3.6.10 and earlier contains a missing authorization vulnerability. This flaw allows authenticated attackers with contributor-level permissions or higher to perform unauthorized gallery deletion actions. The vulnerability resides in the plugin’s AJAX handler for the delete_gallery function.

Root Cause:
The vulnerability occurs because the delete_gallery function in final-tiles-grid-gallery-lite/FinalTilesGalleryLite.php lacks proper capability checks for the current user. The function only verifies nonce validity and gallery ID presence before proceeding with deletion. While there is a user permission check, it only triggers when the user lacks ‘delete_others_posts’ capability, and even then only performs a secondary ownership check via FinalTilesDB::canUserEdit(). This insufficient authorization model allows users with contributor permissions (who typically cannot delete others’ posts) to delete galleries they do not own.

Exploitation:
Attackers exploit this vulnerability by sending a POST request to /wp-admin/admin-ajax.php with the action parameter set to ‘delete_gallery’. The request must include a valid nonce (obtainable by authenticated users) and the target gallery ID. The payload structure is: action=delete_gallery&id={target_gallery_id}&FinalTiles_gallery={valid_nonce}. Contributor-level authenticated attackers can use this endpoint to delete any gallery, regardless of ownership.

Patch Analysis:
The patch adds a comprehensive capability check before the ownership verification. It introduces a new condition that requires users to have either ‘delete_others_posts’ capability (administrator/editor level) OR pass the ownership check via FinalTilesDB::canUserEdit(). The critical addition is the explicit capability requirement: if (!current_user_can(‘delete_others_posts’)) { if (!FinalTilesDB::getInstance()->canUserEdit($gallery_id)) { wp_send_json_error(…); } }. This ensures only users with appropriate privileges can delete galleries they do not own.

Impact:
Successful exploitation allows authenticated attackers with contributor-level access to delete arbitrary galleries created by other users. This results in data loss, gallery unavailability, and potential website content disruption. The vulnerability does not enable privilege escalation beyond the gallery deletion capability, but it violates the principle of least privilege by allowing users to delete content they should not control.