CVE-2026-9019: Easy Image Collage WordPress Plugin Stored XSS Vulnerability
The Easy Image Collage plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in versions up to 1.13.6. Attackers with author-level access or higher can inject malicious scripts into posts or pages through image collage settings. When other users view these pages, the injected scripts execute in their browsers, potentially stealing credentials, redirecting traffic, or performing actions on their behalf. The vulnerability persists because the plugin stores user input in post metadata without proper sanitization, bypassing WordPress's standard HTML restriction controls that normally protect against this type of attack.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
The Easy Image Collage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'grid[properties][borderColor]' and 'grid[images][N][attachment_url]' Parameters in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the data is stored via update_post_meta() rather than wp_insert_post() post content, WordPress's unfiltered_html restriction does not apply, meaning Authors cannot be blocked from this attack path by capability controls alone.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability is a Stored XSS flaw (CWE-79) affecting the Easy Image Collage plugin through version 1.13.6. The plugin fails to sanitize and escape user-supplied data in the 'grid[properties][borderColor]' and 'grid[images][N][attachment_url]' parameters. Critically, this data is stored via update_post_meta() rather than inserted into post content, which means WordPress's built-in unfiltered_html capability restrictions do not apply. An authenticated user with author-level permissions can inject arbitrary JavaScript that executes whenever the affected page is viewed, impacting all site visitors including administrators.
Business impact
Organizations running vulnerable versions face a direct threat to user security and site integrity. Authors and contributors—typically editorial staff or content creators—can unknowingly or maliciously inject malicious scripts that execute across the entire site. This can lead to credential theft, malware distribution, defacement, or redirection attacks affecting both site visitors and administrators. The persistent nature of stored XSS means the attack continues until the injected content is manually removed. For multi-author WordPress sites, this represents a significant internal threat vector that cannot be mitigated solely through role-based access controls.
Affected systems
All versions of the Easy Image Collage plugin up to and including 1.13.6 are vulnerable. The attack requires WordPress user accounts with author-level access or above. This includes Authors, Editors, and Administrators. Any WordPress site using this plugin with multiple content creators is at elevated risk, as the vulnerability can be exploited by trusted internal users.
Exploitability
Exploitability is straightforward for attackers with valid WordPress credentials at author level or above. No elevated privileges, user interaction, or complex network configuration is required—only authenticated access to post creation or editing pages. The attack is reliable and reproducible across network boundaries (AV:N), requires low attack complexity (AC:L), and succeeds without additional user interaction at the exploitation point (UI:N). The primary limiting factor is the requirement for valid authentication and author-level access, which restricts the attack surface to internal or compromised user accounts rather than fully unauthenticated threats.
Remediation
Update the Easy Image Collage plugin to a version released after 1.13.6 that addresses the sanitization and escaping deficiencies. Verify the patch version against the official WordPress plugin repository or vendor advisory before deploying. As an interim measure, restrict author-level access to users who absolutely require content creation privileges, and audit existing posts and pages created with the plugin for suspicious scripts. Consider using Web Application Firewall (WAF) rules to detect and block XSS payloads in post metadata updates, though this is not a substitute for patching.
Patch guidance
Check the official Easy Image Collage plugin repository on WordPress.org or the vendor's security advisory for the first patched version following 1.13.6. Apply updates through the WordPress admin dashboard or via command line. After patching, audit all posts and pages that use the Image Collage feature, particularly those edited by authors during the vulnerable period. Consider using a security plugin to scan post metadata for encoded or obfuscated JavaScript. Test the patched version on a staging environment before deploying to production to ensure compatibility with existing collages.
Detection guidance
Monitor WordPress post metadata for suspicious content in Easy Image Collage settings, particularly the borderColor and attachment_url fields. Look for HTML tags, JavaScript event handlers, and encoded payloads within post_meta entries related to the plugin. Review WordPress user activity logs for authors editing collage settings, and correlate with periods when unexpected scripts appeared on published pages. Implement Web Application Firewall logging to detect requests containing script tags or event handlers targeting post metadata endpoints. Query the wp_postmeta table for patterns like '<script', 'onerror=', 'onload=', or base64-encoded content within the 'grid' serialized data.
Why prioritize this
Despite a MEDIUM CVSS score (6.4), this vulnerability warrants elevated attention due to its stored nature, persistence across all site visitors, and the difficulty of detecting unauthorized modifications after the fact. The attack bypasses WordPress's built-in capability restrictions, meaning standard access controls cannot fully mitigate the risk. Multi-author sites and sites with strong SEO visibility face heightened reputational risk if malicious content reaches visitors. Prioritize patching environments with high-value content, public-facing marketing sites, or those with numerous content contributors.
Risk score, explained
The CVSS 3.1 score of 6.4 (MEDIUM) reflects network accessibility (AV:N), low attack complexity (AC:L), the requirement for low-privilege authentication (PR:L), and broad scope impact (S:C) with confidentiality and integrity compromise (C:L, I:L). Availability is not affected (A:N). The score accurately captures that this is not a trivial vulnerability—it enables authenticated attackers to inject malicious code visible to all users—but is constrained by the authentication requirement and the fact that no remote unauthenticated attack is possible. Organizations should not discount this threat despite the MEDIUM rating; the persistence and bypass of standard WordPress controls elevate practical risk beyond the numeric score.
Frequently asked questions
Can an Editor or Contributor with lower privileges exploit this vulnerability?
No. The vulnerability requires author-level access or above. Contributors, who can only draft posts, cannot modify post metadata in the way needed to inject malicious scripts. However, if your WordPress roles have been customized, verify that your authors and editors truly cannot access the Image Collage settings.
Why doesn't WordPress's unfiltered_html restriction block this attack?
WordPress's unfiltered_html capability prevents script injection in post_content (the main post body), but not in post metadata. The Easy Image Collage plugin stores collage settings in wp_postmeta without sanitizing them, so the unfiltered_html restriction never applies. This is why the vulnerability persists even on restricted WordPress installations.
If we deactivate the plugin, are we protected?
Deactivating the plugin stops new injections, but does not remove scripts already stored in post metadata. Any posts edited with the vulnerable plugin while it was active may still contain malicious scripts. Audit and manually clean affected content, or use a security plugin to strip dangerous payloads from post metadata.
Is this vulnerability being actively exploited?
As of the last update, this vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no widespread in-the-wild exploitation has been publicly confirmed. However, the ease of exploitation for authenticated users means it is a prime candidate for targeted attacks on sites with weak internal access controls or compromised accounts.
This analysis is provided for informational purposes and represents SEC.co's professional interpretation of publicly available vulnerability data as of the publication date. Patch version numbers and KEV status are not included in this source data and should be verified directly with the Easy Image Collage vendor, the WordPress plugin repository, or CISA's KEV catalog. Organizations should conduct their own risk assessment based on their specific WordPress environment, user roles, and content contributors. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for any actions taken in reliance upon it. Always test security updates in a non-production environment before deploying to production systems. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2021-47982MEDIUMWP-Paginate 2.1.3 Stored XSS in Plugin Settings