We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Easy Image Collage Plugin Vulnerability (CVE-2026-9019)

Nick Paliughi
On this page

Security Alert Summary

The Easy Image Collage plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with author-level access and above to inject arbitrary JavaScript into pages. The issue is caused by insufficient input sanitization and output escaping of specific grid parameters, and stored data is saved via update_post_meta() in a way that bypasses WordPress unfiltered_html restrictions for Authors.

CVE Details

  • CVE ID: CVE-2026-9019
  • Affected component: Easy Image Collage plugin for WordPress
  • Affected versions: All versions up to and including 1.13.6
  • Published: June 10, 2026 at 8:16:25 AM
  • Last modified: June 10, 2026 at 8:16:25 AM
  • CVSS v3.1: Base Score 6.4, MEDIUM — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: Requires an authenticated user with low privileges (Author-level or higher). No user interaction is required for exploitation.
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • CWE: CWE-79 (Cross-site Scripting)

Technical Details

The vulnerability is a stored cross-site scripting issue caused by insufficient input sanitization and output escaping of the grid[properties][borderColor] and grid[images][N][attachment_url] parameters. Malicious input provided to those parameters is persisted and later rendered in pages where the injected data is displayed.

Notably, the plugin stores the data via update_post_meta() rather than inserting it into post content via wp_insert_post(). Because of this storage method, WordPress’s unfiltered_html capability restriction does not block the attack path for users with Author-level capabilities, allowing an authenticated author to save payloads that will execute when other users view the affected pages.

The impact is execution of attacker-controlled scripts in the context of pages that include the injected meta values. This can lead to actions performed in the context of visiting users or disclosure of data accessible to client-side scripts, consistent with the CVSS confidentiality and integrity impacts noted above.

How This Could Impact Your Website

Consider a site with multiple WordPress users: a site owner (Administrator), internal staff who publish content (Editors and Authors), and an external contractor or contributor assigned Author-level access. An Author account with malicious intent could save specially crafted values into the plugin’s grid parameters. When editors, administrators, or other users view pages that render that stored data, the injected script can run in their browsers.

Practical consequences include exposure of information accessible in the browser (for example, session-related data visible to JavaScript or user interface content), unauthorized actions performed in the context of a logged-in user, and increased risk of targeted phishing or social engineering based on data collected by the injected script. The vulnerability does not indicate guaranteed full site takeover, but it does allow client-side script execution with the impacts described above.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially Author-level accounts and contributor access.
  • Enforce strong passwords and two-factor authentication for Editors and Administrators.
  • Remove unused or unmaintained plugins from the site.
  • Monitor site activity and logs for unusual behavior related to post meta updates or unexpected script output.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Doctreat Core Plugin Vulnerability (CVE-2025-6254)
Next Post
aThemes Addons for Elementor Plugin Vulnerability (CVE-2026-8613)