CVE-2026-1298 identifies a Missing Authorization vulnerability (CWE-862) in the Easy Replace Image plugin for WordPress, affecting all versions up to and including 3.5.2. The root cause is the absence of proper capability checks in the image_replacement_from_url function, which is triggered via the eri_from_url AJAX action. This flaw allows any authenticated user with Contributor-level permissions or higher to replace arbitrary image attachments on the affected WordPress site by supplying external image URLs. Since Contributors typically have limited content creation rights, this vulnerability escalates their ability to manipulate site content beyond intended boundaries. The attack vector requires authentication but no additional user interaction or elevated privileges. The impact includes potential site defacement, enabling phishing attacks by replacing trusted images with malicious ones, or other content manipulation that can harm site integrity and user trust. The CVSS v3.1 base score is 5.3 (medium), reflecting network attack vector, low attack complexity, no privileges required beyond Contributor, no user interaction, and impact limited to integrity loss without affecting confidentiality or availability. No patches or known exploits are currently documented, but the vulnerability is publicly disclosed and should be addressed promptly to prevent exploitation.

The vulnerability allows authenticated users with Contributor-level access to replace any image attachment on a WordPress site using the Easy Replace Image plugin, potentially leading to site defacement or phishing attacks. This undermines the integrity of website content, damaging user trust and brand reputation. Attackers could replace legitimate images with malicious or misleading ones, facilitating social engineering or malware distribution. Although it does not directly compromise confidentiality or availability, the manipulation of visual content can have significant reputational and operational impacts, especially for organizations relying on their websites for customer engagement or e-commerce. The ease of exploitation by relatively low-privileged users increases risk, particularly on sites with multiple contributors or weak user management. The scope is limited to sites running the vulnerable plugin, but given WordPress's widespread use, the number of potentially affected sites is substantial worldwide.

1. Immediately restrict Contributor-level user permissions to prevent unauthorized image replacement until a patch is available. 2. Monitor and audit image attachments regularly for unauthorized changes, using file integrity monitoring tools or WordPress audit plugins. 3. Disable or remove the Easy Replace Image plugin if it is not essential to site operations. 4. Implement a web application firewall (WAF) with custom rules to detect and block suspicious AJAX requests targeting the eri_from_url action. 5. Educate site administrators and content contributors about the risk and encourage strong user access management practices. 6. Once available, apply official patches or updates from the plugin vendor promptly. 7. Consider implementing additional authorization checks or custom code to validate user capabilities before allowing image replacements. 8. Use security plugins that can enforce stricter role-based access control and monitor AJAX endpoints for abuse.