CVE-2026-1298 MEDIUM

CVE-2026-1298: Easy Replace Image <= 3.5.2 - Missing Authorization to Authenticated (Contributor+) Arbitrary Attachment Replacement

Vendor Iulia-Cazan
Product Easy Replace Image
Weakness CWE-862 · Missing authorization
Published January 28, 2026
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the `image_replacement_from_url` function that is hooked to the `eri_from_url` AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to replace arbitrary image attachments on the site with images from external URLs, potentially enabling site defacement, phishing attacks, or content manipulation.

Explanation of Vulnerability in Simple Terms

02Summary

Easy Replace Image versions 3.5.2 and earlier lack proper authorization checks on certain operations. A logged-in user with low privileges can modify image data without proper permission validation. The vulnerability does not affect data confidentiality or system availability, only the integrity of image content.

What an attacker can do

03Attacker Capabilities

A low-privilege logged-in user can modify images without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users may alter or replace images, compromising content integrity and potentially defacing the site.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the site and network access to the vulnerable plugin.

Key dates

06Disclosure timeline

January 28, 2026 CVE published
April 8, 2026 Record updated