Vulnerabilities and security researches foreasy-image-collage easy-image-collage

Jun 29, 2024

CVE, Research URL: CVE-2024-5863
Home page URL: Security reports for Easy Image Collage
Application: Easy Image Collage
Date: Jun 28, 2024
Research Description: The Easy Image Collage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_image_collage() function in all versions up to, and including, 1.13.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to erase all of the content in arbitrary posts.
Affected versions: max 1.13.6.
Status: vulnerable

Jun 12, 2026

CVE, Research URL: CVE-2026-9019
Home page URL: Security reports for Easy Image Collage
Application: Easy Image Collage
Date: Jun 10, 2026
Research Description: The Easy Image Collage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'grid[properties][borderColor]' and 'grid[images][N][attachment_url]' Parameters in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the data is stored via update_post_meta() rather than wp_insert_post() post content, WordPress's unfiltered_html restriction does not apply, meaning Authors cannot be blocked from this attack path by capability controls alone.
Affected versions: max 2.0.0.
Status: vulnerable