WP-Safety

Easy Media Replace Security & Risk Analysis

wordpress.org/plugins/easy-media-replace

Replace Images and Media Files in WordPress Easily and Quickly.

1K active installs v0.2.0 PHP 5.4+ WP 4.0+ Updated Apr 25, 2023
imagepicturereplacereplace-filereplace-image
84
B · Generally Safe
CVEs total1
Unpatched0
Last CVEMar 28, 2023
Plugin page Download
Safety Verdict

Is Easy Media Replace Safe to Use in 2026?

Mostly Safe

Score 84/100

Easy Media Replace is generally safe to use though it hasn't been updated recently. 1 past CVE were resolved.

1 known CVELast CVE: Mar 28, 2023Updated 3yr ago
Risk Assessment

The "easy-media-replace" plugin version 0.2.0 presents a significant security risk due to multiple unauthenticated AJAX handlers. While the plugin demonstrates good practices by utilizing prepared statements for SQL queries and performing nonce and capability checks on its entry points, the lack of authorization on all identified AJAX handlers is a critical concern. This means that any authenticated user, regardless of their role or permissions, could potentially trigger these actions, leading to unintended consequences or further exploitation if combined with other weaknesses.

The static analysis did not reveal any dangerous functions, SQL injection vulnerabilities, or problematic taint flows, which is a positive sign. However, the complete absence of proper output escaping across all identified outputs is a serious deficiency. This could allow for cross-site scripting (XSS) vulnerabilities if user-supplied data is reflected directly in the output without sanitization.

The plugin has a history of one known high-severity vulnerability, specifically related to missing authorization, with its last occurrence in March 2023. Although there are currently no unpatched vulnerabilities, this history, combined with the present finding of unauthenticated AJAX handlers, suggests a recurring pattern of authorization oversight. The overall security posture is thus mixed, with strengths in data handling (SQL) but significant weaknesses in access control and output sanitization, requiring immediate attention.

Key Concerns

  • Unprotected AJAX handlers
  • Unescaped output
  • Past high severity vulnerability (Missing Authorization)
Vulnerabilities
1 published

Easy Media Replace Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2022-46850high · 8.1Missing Authorization

Easy Media Replace <= 0.1.3 - Authenticated (Author+) Arbitrary File Deletion

Mar 28, 2023 Patched in 0.2.0 (301d)
Version History

Easy Media Replace Release Timeline

v0.2.0Current
v0.1.31 CVE
CVE-2022-46850
v0.1.21 CVE
CVE-2022-46850
v0.1.11 CVE
CVE-2022-46850
v0.1.01 CVE
CVE-2022-46850
Code Analysis
Analyzed Mar 16, 2026

Easy Media Replace Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
6
0 escaped
Nonce Checks
4
Capability Checks
4
File Operations
2
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped6 total outputs
Attack Surface
4 unprotected

Easy Media Replace Attack Surface

Entry Points4
Unprotected4

AJAX Handlers 4

authwp_ajax_emr:dialogincludes\class-easy-media-replace.php:169
authwp_ajax_emr:uploadincludes\class-easy-media-replace.php:170
authwp_ajax_emr:replaceincludes\class-easy-media-replace.php:171
authwp_ajax_emr:removeincludes\class-easy-media-replace.php:172
WordPress Hooks 8
filterbig_image_size_thresholdadmin\class-easy-media-replace-admin.php:195
filterintermediate_image_sizes_advancedadmin\class-easy-media-replace-admin.php:196
actionplugins_loadedincludes\class-easy-media-replace.php:147
actionadmin_enqueue_scriptsincludes\class-easy-media-replace.php:163
actionadmin_enqueue_scriptsincludes\class-easy-media-replace.php:164
filterattachment_fields_to_editincludes\class-easy-media-replace.php:166
filterattachment_submitbox_misc_actionsincludes\class-easy-media-replace.php:167
filtermedia_row_actionsincludes\class-easy-media-replace.php:168
Maintenance & Trust

Easy Media Replace Maintenance & Trust

Maintenance Signals

WordPress version tested6.2.9
Last updatedApr 25, 2023
PHP min version5.4
Downloads21K

Community Trust

Rating80/100
Number of ratings8
Active installs1K
Alternatives

Easy Media Replace Alternatives

Enable Media Replace

Enable Media Replace

enable-media-replace

A
92

Easily replace any attached image/file by simply uploading a new file in the Media Library edit view - a real time saver!

600K 7 CVEs
Image Editor by Pixo

Image Editor by Pixo

image-editor-by-pixo

B
77

Replaces the default image editor in wp-admin with more powerful one - Pixo. It can also be used in the front-end.

800 1 unpatched
Easy Replace Image

Easy Replace Image

easy-replace-image

A
98

Replace easily an attachment file by uploading another file or by downloading one from an URL, without deleting the attachment.

500 2 CVEs
Devenia Replace Media

Devenia Replace Media

devenia-replace-media

A
100

Replace media files while keeping the same URL. Works in Media Library, Elementor, and more.

20 No CVEs
Yatterukun

Yatterukun

yatterukun

A
85

Fast and easy photo/video media changer plugin.

0 No CVEs
Developer Profile

Easy Media Replace Developer Profile

Nabil Lemsieh

4 plugins · 30K total installs

85
trust score
Avg Security Score
95/100
Avg Patch Time
61 days
View full developer profile
Detection Fingerprints

How We Detect Easy Media Replace

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/easy-media-replace/admin/css/jquery-ui.min.css/wp-content/plugins/easy-media-replace/admin/css/easy-media-replace-admin.css/wp-content/plugins/easy-media-replace/admin/js/dropzone.js/wp-content/plugins/easy-media-replace/admin/js/easy-media-replace-admin.js
Script Paths
/wp-content/plugins/easy-media-replace/admin/js/dropzone.js/wp-content/plugins/easy-media-replace/admin/js/easy-media-replace-admin.js
Version Parameters
easy-media-replace/admin/css/easy-media-replace-admin.css?ver=easy-media-replace/admin/js/easy-media-replace-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
js-emr-open-dialogemr-dialog__openmisc-pub-emr
Data Attributes
data-attachment-iddata-attachment-mime
JS Globals
emr_ajax_object
FAQ

Frequently Asked Questions about Easy Media Replace