cleantalk
Vulnerabilities and Security Researches

External image replace, CVE-2025-4279

CVE, Research URL

CVE-2025-4279

Home page URL

Security reports for External image replace

Application

External image replace

Published on
May 06, 2025
Research Description
The External image replace plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'external_image_replace_get_posts::replace_post' function in all versions up to, and including, 1.0.8. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions
Min -, max 1.0.8.
Status
vulnerable
Previous vulnerability researches
External image replace (CVE-2025-30535) , Mar 26, 2025
External image replace (CVE-2025-4279) , May 06, 2025
New vulnerability
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder (CVE-2024-10560) , May 06, 2025
System Dashboard (CVE-2024-12299) , May 06, 2025
LTL Freight Quotes – Worldwide Express Edition (CVE-2025-22286) , May 06, 2025
LTL Freight Quotes – Worldwide Express Edition (CVE-2025-22291) , May 06, 2025
Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms (CVE-2022-4974) , May 06, 2025