Description
Server-Side Request Forgery (SSRF) vulnerability in Iulia Cazan Easy Replace Image easy-replace-image allows Server Side Request Forgery.This issue affects Easy Replace Image: from n/a through <= 3.5.0.
Published: 2025-05-07
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Easy Replace Image plugin allows an attacker to cause the server to make arbitrary HTTP requests on its behalf. If leveraged, the server could reach internal network resources, access restricted data, or perform further attacks against downstream services. The plugin permits this through insufficient validation of user‑supplied URLs when replacing images. The weakness is classified as CWE‑918 and carries a CVSS score of 4.9, indicating moderate severity.

Affected Systems

WordPress installations that have the Easy Replace Image plugin provided by Iulia Cazan, version 3.5.0 or earlier, are affected. The vulnerability applies to all releases from the plugin’s inception up to and including 3.5.0.

Risk and Exploitability

With a CVSS of 4.9 the risk level is moderate, yet the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need to trigger plugin functions, typically by interacting with a WordPress admin interface or by forcing the plugin to process a crafted image URL. Because the attack requires server‑side request handling, the impact is limited to the privileged WordPress host, but can be used to probe internal networks or exfiltrate data.

Generated by OpenCVE AI on April 30, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy Replace Image to a version newer than 3.5.0 that removes the SSRF flaw.
  • If an upgrade cannot be performed immediately, disable or uninstall the Easy Replace Image plugin to eliminate the vulnerable code path.
  • Apply network restrictions or use a dedicated firewall rule to block outbound HTTP(S) requests that originate from WordPress processes, thereby limiting the potential reach of any SSRF attempt.

Generated by OpenCVE AI on April 30, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13838 Server-Side Request Forgery (SSRF) vulnerability in Iulia Cazan Easy Replace Image allows Server Side Request Forgery. This issue affects Easy Replace Image: from n/a through 3.5.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Iulia Cazan Easy Replace Image allows Server Side Request Forgery. This issue affects Easy Replace Image: from n/a through 3.5.0. Server-Side Request Forgery (SSRF) vulnerability in Iulia Cazan Easy Replace Image easy-replace-image allows Server Side Request Forgery.This issue affects Easy Replace Image: from n/a through <= 3.5.0.
Title WordPress Easy Replace Image <= 3.5.0 - Server Side Request Forgery (SSRF) Vulnerability WordPress Easy Replace Image plugin <= 3.5.0 - Server Side Request Forgery (SSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00037}

Thu, 08 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Iulia Cazan Easy Replace Image allows Server Side Request Forgery. This issue affects Easy Replace Image: from n/a through 3.5.0.
Title WordPress Easy Replace Image <= 3.5.0 - Server Side Request Forgery (SSRF) Vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:42.532Z

Reserved: 2025-05-07T09:39:08.090Z

Link: CVE-2025-47483

cve-icon Vulnrichment

Updated: 2025-05-08T16:10:38.188Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:02.507

Modified: 2026-04-23T15:30:18.527

Link: CVE-2025-47483

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:45:36Z

Weaknesses