CVE-2025-13693 Image Photo Gallery Final Tiles Grid <= 3.6.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'Custom Scripts' Setting

🗓️ 21 Dec 2025 03:20:05Reported by WordfenceType

Authenticated authors can store XSS via Custom scripts in Image Photo Gallery Tiles Grid up to 3.6.8.

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2025-13693	21 Dec 202506:08	–	circl
CNNVD	WordPress plugin Image Photo Gallery Final Tiles Grid 跨站脚本漏洞	21 Dec 202500:00	–	cnnvd
CVE	CVE-2025-13693	21 Dec 202503:20	–	cve
EUVD	EUVD-2025-204660	21 Dec 202506:31	–	euvd
NVD	CVE-2025-13693	21 Dec 202504:16	–	nvd
Patchstack	WordPress Image Photo Gallery Final Tiles Grid plugin <= 3.6.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'Custom Scripts' Setting vulnerability	31 Dec 202500:00	–	patchstack
Positive Technologies	PT-2025-52582	21 Dec 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-13693	22 Dec 202503:23	–	redhatcve
Vulnrichment	CVE-2025-13693 Image Photo Gallery Final Tiles Grid <= 3.6.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'Custom Scripts' Setting	21 Dec 202503:20	–	vulnrichment
Wordfence Blog	Wordfence Intelligence Weekly WordPress Vulnerability Report (December 15, 2025 to January 4, 2026)	8 Jan 202618:20	–	wordfence

[
  {
    "vendor": "wpchill",
    "product": "Image Photo Gallery Final Tiles Grid",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "3.6.8",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
plugins	www.plugins.trac.wordpress.org/changeset
plugins	www.plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/trunk/lib/gallery-class.php
plugins	www.plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/tags/3.6.6/lib/gallery-class.php
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/625d2b09-a6b9-4c0c-8c36-3c565e688aac

08 Apr 2026 16:57Current

CVSS 3.16.4

EPSS0.00037

CWE-79