cleantalk
Vulnerabilities and Security Researches

External image replace, CVE-2025-4279

CVE, Research URL

CVE-2025-4279

Home page URL

Security reports for External image replace

Application

External image replace

Published on
May 06, 2025
Research Description
The External image replace plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'external_image_replace_get_posts::replace_post' function in all versions up to, and including, 1.0.8. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions
Min -, max 1.0.8.
Status
vulnerable
Previous vulnerability researches
Unite Gallery Lite (CVE-2024-43207) , Aug 13, 2024
Unite Gallery Lite (CVE-2023-34183) , Jun 07, 2024
Unite Gallery Lite (CVE-2023-33310) , Jun 07, 2024
Unite Gallery Lite (CVE-2015-9446) , Jun 07, 2024
Unite Gallery Lite (CVE-2015-9445) , Jun 07, 2024
New vulnerability
External image replace (CVE-2025-4279) , May 06, 2025
Absolute Links (CVE-2025-43833) , May 05, 2025
List Children (CVE-2025-4099) , May 05, 2025
Libro de Reclamaciones (CVE-2025-46446) , May 05, 2025
Enhanced Paypal Shortcodes (CVE-2025-46543) , May 05, 2025