Description
The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the `image_replacement_from_url` function that is hooked to the `eri_from_url` AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to replace arbitrary image attachments on the site with images from external URLs, potentially enabling site defacement, phishing attacks, or content manipulation.
Published: 2026-01-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted attachment replacement allowing defacement and phishing
Action: Patch
AI Analysis

Impact

The Easy Replace Image plugin for WordPress fails to enforce authorization on the image_replacement_from_url function, which is bound to the eri_from_url AJAX action. This flaw permits any authenticated user with Contributor-level access or higher to upload arbitrary external images and replace existing attachments on the site. The consequence is potential defacement, phishing, or content manipulation, compromising the site’s integrity.

Affected Systems

WordPress installations running Easy Replace Image up to version 3.5.2 are affected. The issue is present in all releases up to and including 3.5.2; later releases contain the fix.

Risk and Exploitability

With a CVSS score of 4.3 the vulnerability is considered moderate. The EPSS score is less than 1%, indicating a very low current exploitation probability, and the issue is not listed in the CISA KEV catalog. An attacker must first authenticate to the site as a Contributor or higher user, then use the exposed AJAX endpoint to trigger the replacement. No additional privileges are required beyond the granted contributor rights.

Generated by OpenCVE AI on April 15, 2026 at 21:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Easy Replace Image plugin to version 3.5.3 or later, which removes the missing capability checks for the AJAX action.
  • If an update is not immediately possible, disable the eri_from_url AJAX action or restrict it to administrators by editing the plugin files or using a security plugin that blocks unauthorized AJAX requests.
  • Monitor the media library and site logs for unexpected image replacements, and consider implementing a CSP that blocks external image loading to reduce the impact of any attempted replacement.

Generated by OpenCVE AI on April 15, 2026 at 21:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 28 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 28 Jan 2026 05:45:00 +0000

Type Values Removed Values Added
Description The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the `image_replacement_from_url` function that is hooked to the `eri_from_url` AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to replace arbitrary image attachments on the site with images from external URLs, potentially enabling site defacement, phishing attacks, or content manipulation.
Title Easy Replace Image <= 3.5.2 - Missing Authorization to Authenticated (Contributor+) Arbitrary Attachment Replacement
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:52.905Z

Reserved: 2026-01-21T17:35:06.750Z

Link: CVE-2026-1298

cve-icon Vulnrichment

Updated: 2026-01-28T20:51:43.205Z

cve-icon NVD

Status : Deferred

Published: 2026-01-28T06:15:49.300

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:45:14Z

Weaknesses