PT-2025-8916 · WordPress · Image Photo Gallery Final Tiles Grid

Craig Smith

Published

2025-02-27

Updated

2025-03-11

CVE-2024-6261

CVSS v3.1

6.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Image Photo Gallery Final Tiles Grid plugin for WordPress versions up to, and including, 3.6.0

Description The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the 'FinalTilesGallery' shortcode. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page.

Recommendations For versions up to, and including, 3.6.0, update to a version that includes the necessary input sanitization and output escaping fixes to prevent stored cross-site scripting attacks.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2024-6261

Affected Products

Image Photo Gallery Final Tiles Grid

PT-2025-8916 · WordPress · Image Photo Gallery Final Tiles Grid

CVE-2024-6261

Weakness Enumeration

Related Identifiers

Affected Products

References · 9