PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9019 brechtvds CVE debrief

The Easy Image Collage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'grid[properties][borderColor]' and 'grid[images][N][attachment_url]' Parameters in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the data is stored via update_post_meta() rather than wp_insert_post() post content, WordPress's unfiltered_html restriction does not apply, meaning Authors cannot be blocked from this attack path by capability controls alone.

Vendor
brechtvds
Product
Easy Image Collage
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-10
Advisory published
2026-06-10
Advisory updated
2026-06-10

Who should care

Users of the Easy Image Collage plugin for WordPress, particularly those with author-level access and above, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability exists in the Easy Image Collage plugin for WordPress, specifically in the handling of 'grid[properties][borderColor]' and 'grid[images][N][attachment_url]' parameters. Insufficient input sanitization and output escaping allow for Stored Cross-Site Scripting attacks.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update the Easy Image Collage plugin to a version beyond 1.13.6.
  • Restrict access to the plugin's functionality for users with author-level access and above.
  • Implement additional security measures, such as input validation and output encoding, to prevent similar vulnerabilities.

Evidence notes

The CVE-2026-9019 vulnerability was identified in the Easy Image Collage plugin for WordPress. The vulnerability allows for Stored Cross-Site Scripting attacks due to insufficient input sanitization and output escaping.

Official resources

CVE-2026-9019 was published on 2026-06-10T08:16:25.937Z and modified on 2026-06-10T18:35:12.690Z.