{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1298", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-21T17:35:06.750Z", "datePublished": "2026-01-28T05:30:18.900Z", "dateUpdated": "2026-04-08T16:42:52.905Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:52.905Z"}, "affected": [{"vendor": "iulia-cazan", "product": "Easy Replace Image", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.5.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the `image_replacement_from_url` function that is hooked to the `eri_from_url` AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to replace arbitrary image attachments on the site with images from external URLs, potentially enabling site defacement, phishing attacks, or content manipulation."}], "title": "Easy Replace Image <= 3.5.2 - Missing Authorization to Authenticated (Contributor+) Arbitrary Attachment Replacement", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27332c13-c25f-47ec-980d-035fc35ce553?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-replace-image/trunk/easy-replace-image.php#L961"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-replace-image/tags/3.5.2/easy-replace-image.php#L961"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3447984%40easy-replace-image&new=3447984%40easy-replace-image&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2026-01-23T14:24:07.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-27T17:10:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T20:51:39.723835Z", "id": "CVE-2026-1298", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T20:51:45.851Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1298", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T20:51:39.723835Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T20:51:43.205Z"}}], "cna": {"title": "Easy Replace Image <= 3.5.2 - Missing Authorization to Authenticated (Contributor+) Arbitrary Attachment Replacement", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "iulia-cazan", "product": "Easy Replace Image", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.5.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T14:24:07.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-27T17:10:48.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27332c13-c25f-47ec-980d-035fc35ce553?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-replace-image/trunk/easy-replace-image.php#L961"}, {"url": "https://plugins.trac.wordpress.org/browser/easy-replace-image/tags/3.5.2/easy-replace-image.php#L961"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3447984%40easy-replace-image&new=3447984%40easy-replace-image&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the `image_replacement_from_url` function that is hooked to the `eri_from_url` AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to replace arbitrary image attachments on the site with images from external URLs, potentially enabling site defacement, phishing attacks, or content manipulation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-28T05:30:18.900Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1298", "state": "PUBLISHED", "dateUpdated": "2026-01-28T20:51:45.851Z", "dateReserved": "2026-01-21T17:35:06.750Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-28T05:30:18.900Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the `image_replacement_from_url` function that is hooked to the `eri_from_url` AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to replace arbitrary image attachments on the site with images from external URLs, potentially enabling site defacement, phishing attacks, or content manipulation."}, {"lang": "es", "value": "El plugin Easy Replace Image para WordPress es vulnerable a la falta de autorizaci\u00f3n en todas las versiones hasta la 3.5.2, inclusive. Esto se debe a la falta de comprobaciones de capacidad en la funci\u00f3n 'image_replacement_from_url' que est\u00e1 enganchada a la acci\u00f3n AJAX 'eri_from_url'. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, reemplacen archivos adjuntos de imagen arbitrarios en el sitio con im\u00e1genes de URLs externas, lo que podr\u00eda permitir la desfiguraci\u00f3n del sitio, ataques de phishing o manipulaci\u00f3n de contenido."}], "id": "CVE-2026-1298", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-01-28T06:15:49.300", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/easy-replace-image/tags/3.5.2/easy-replace-image.php#L961"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/easy-replace-image/trunk/easy-replace-image.php#L961"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3447984%40easy-replace-image&new=3447984%40easy-replace-image&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27332c13-c25f-47ec-980d-035fc35ce553?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T21:34:43.794479+00:00", "value": {"mitigation_remediation": ["Update the Easy Replace Image plugin to version 3.5.3 or later, which removes the missing capability checks for the AJAX action.", "If an update is not immediately possible, disable the eri_from_url AJAX action or restrict it to administrators by editing the plugin files or using a security plugin that blocks unauthorized AJAX requests.", "Monitor the media library and site logs for unexpected image replacements, and consider implementing a CSP that blocks external image loading to reduce the impact of any attempted replacement."], "summary": {"action": "Patch", "impact": "Unrestricted attachment replacement allowing defacement and phishing"}, "threat_synthesis": {"affected_systems": "WordPress installations running Easy Replace Image up to version 3.5.2 are affected. The issue is present in all releases up to and including 3.5.2; later releases contain the fix.", "description_and_impact": "The Easy Replace Image plugin for WordPress fails to enforce authorization on the image_replacement_from_url function, which is bound to the eri_from_url AJAX action. This flaw permits any authenticated user with Contributor-level access or higher to upload arbitrary external images and replace existing attachments on the site. The consequence is potential defacement, phishing, or content manipulation, compromising the site\u2019s integrity.", "risk_and_exploitability": "With a CVSS score of 4.3 the vulnerability is considered moderate. The EPSS score is less than 1%, indicating a very low current exploitation probability, and the issue is not listed in the CISA KEV catalog. An attacker must first authenticate to the site as a Contributor or higher user, then use the exposed AJAX endpoint to trigger the replacement. No additional privileges are required beyond the granted contributor rights."}}}}, "created": "2026-01-28T12:21:46.728053+00:00", "updated": "2026-04-15T21:45:14.141364+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}