CVE-2026-1298

Name of the Vulnerable Software and Affected Versions Easy Replace Image plugin for WordPress versions prior to 3.5.3

Description The Easy Replace Image plugin for WordPress is susceptible to a missing authorization issue. This is caused by a lack of appropriate capability checks within the image replacement from url function, which is connected to the eri from url AJAX action. Authenticated attackers possessing Contributor-level access or higher can replace any image attachments on the website with images sourced from external URLs. This could lead to site defacement, phishing attacks, or content manipulation.

Recommendations Update the Easy Replace Image plugin to version 3.5.3 or later.