Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
PR:H reflects editor-level authentication required to inject the payload; A:N applied because stored XSS does not disrupt service availability.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShortPixel Enable Media Replace allows Stored XSS.
This issue affects Enable Media Replace: from n/a through 4.2.1.
AnalysisAI
Stored cross-site scripting in the ShortPixel Enable Media Replace WordPress plugin (all versions through 4.2.1) allows an authenticated attacker with high-level privileges to inject persistent malicious scripts via the media replacement workflow, which then execute in the browser context of any WordPress user who subsequently views the affected content. The scope change confirmed by the CVSS vector (S:C) means a compromised editor-level account could be leveraged to target administrator sessions, enabling privilege escalation within the WordPress admin interface. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum the capability to use the Enable Media Replace plugin's media replacement feature, corresponding to Editor role or higher in a default WordPress configuration (consistent with PR:H in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.9 (Medium) accurately reflects a bounded but real threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained WordPress editor-level credentials through phishing or credential stuffing accesses the Media Library, selects an existing media item, and uses the Replace Media feature to inject a malicious JavaScript payload into an input field that is stored without sanitization. When a site administrator later navigates to the WordPress dashboard or a page that renders the affected media metadata, the stored script executes silently in the admin's browser, potentially exfiltrating the session cookie or issuing authenticated admin API requests on the attacker's behalf. |
| Remediation | Update the Enable Media Replace plugin to a version released after 4.2.1 once ShortPixel publishes a patched release; monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/enable-media-replace/vulnerability/wordpress-enable-media-replace-plugin-4-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve for confirmation of the exact fixed version number, which is not independently confirmed in available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Enable Media Replace
View allThe Enable Media Replace WordPress plugin before 4.1.3 unserializes user input via the Remove Background feature, which
The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the si
The Enable Media Replace WordPress plugin before 4.0.0 does not ensure that renamed files are moved to the Upload folder
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41096
GHSA-c8m2-cj6f-v5p6