The Easy Replace Image plugin for WordPress, developed by iulia-cazan, suffers from a Missing Authorization vulnerability (CWE-862) identified as CVE-2026-1298. This vulnerability exists in all versions up to and including 3.5.2 due to the absence of proper capability checks in the image_replacement_from_url function. This function is triggered via the eri_from_url AJAX action, which does not verify whether the requesting user has sufficient permissions to replace images. Consequently, any authenticated user with Contributor-level access or higher can invoke this AJAX action to replace arbitrary image attachments on the WordPress site with images sourced from external URLs. This unauthorized image replacement can be leveraged to deface websites, insert phishing content, or manipulate displayed content, undermining site integrity and user trust. The vulnerability does not require administrator privileges or user interaction beyond authentication, making it easier to exploit within compromised or legitimate user accounts. The CVSS 3.1 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required beyond Contributor, no user interaction, and limited impact on integrity without affecting confidentiality or availability. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly. The flaw highlights the importance of enforcing strict authorization checks on AJAX endpoints in WordPress plugins to prevent privilege escalation and content tampering.

For European organizations, this vulnerability poses a moderate risk primarily to websites using WordPress with the Easy Replace Image plugin installed. Attackers with Contributor-level access—often users allowed to submit content but not manage the site—can replace images arbitrarily, potentially leading to site defacement or embedding malicious content such as phishing images. This can damage brand reputation, reduce user trust, and potentially facilitate further social engineering attacks. Public-facing websites, especially those in sectors like e-commerce, media, and government, are at higher risk due to their reliance on visual content and user engagement. The impact on confidentiality is minimal, but integrity is compromised, which can indirectly affect availability if the site is taken offline for remediation. Since the vulnerability requires authenticated access, organizations with strict user access controls and monitoring may reduce risk, but those with lax Contributor permissions or high user turnover are more vulnerable. European organizations must consider the regulatory implications of content manipulation under GDPR, especially if user data or trust is impacted. The absence of known exploits suggests a window for proactive mitigation before widespread abuse occurs.

1. Immediately audit WordPress sites for the presence of the Easy Replace Image plugin and identify versions up to 3.5.2. 2. Restrict or review Contributor-level user permissions to minimize the number of users who can authenticate with sufficient privileges to exploit this vulnerability. 3. Monitor and log all image replacement activities, especially those initiated via AJAX calls, to detect suspicious or unauthorized changes. 4. Implement web application firewalls (WAFs) with rules to detect and block unauthorized eri_from_url AJAX requests from non-administrative users. 5. Until an official patch is released, consider disabling or removing the Easy Replace Image plugin if it is not critical to site functionality. 6. Educate site administrators and content contributors about the risks of unauthorized content changes and encourage reporting of anomalies. 7. Once a patch is available, promptly update the plugin to a secure version that enforces proper authorization checks. 8. Employ multi-factor authentication (MFA) for all authenticated users to reduce the risk of account compromise that could facilitate exploitation. 9. Regularly review user roles and permissions to ensure the principle of least privilege is enforced across all WordPress installations.