Easy Replace Image WordPress Plugin Missing Authorization Vulnerability Allowing Arbitrary Attachment Replacement

A vulnerability exists in the Easy Replace Image plugin for WordPress, affecting all versions up to and including 3.5.2. The issue stems from a lack of proper authorization checks in the 'image_replacement_from_url' function, which is linked to the 'eri_from_url' AJAX action. This flaw enables authenticated attackers with Contributor-level access or higher to replace any image attachment on the site with images sourced from external URLs. Such an action could lead to unauthorized content changes, including potential site defacements or phishing-related modifications.

Impact

Exploitation of this vulnerability allows for unauthorized replacement of image attachments, which could be used to manipulate content or impersonate individuals or organizations.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a request to the 'eri_from_url' AJAX action. This request must include the ID of the image attachment to be replaced and the URL of the image to be used as a replacement. The absence of authorization checks in the AJAX handler allows this action to be performed without the necessary permissions.

Remediation

Users are advised to update the Easy Replace Image plugin to version 3.5.3 or later, where this vulnerability has been patched.