Skip to main content

Enable Media Replace

4 CVEs product

Monthly

CVE-2026-57722 MEDIUM This Month

Stored cross-site scripting in the ShortPixel Enable Media Replace WordPress plugin (all versions through 4.2.1) allows an authenticated attacker with high-level privileges to inject persistent malicious scripts via the media replacement workflow, which then execute in the browser context of any WordPress user who subsequently views the affected content. The scope change confirmed by the CVSS vector (S:C) means a compromised editor-level account could be leveraged to target administrator sessions, enabling privilege escalation within the WordPress admin interface. No public exploit code or CISA KEV listing has been identified at time of analysis; the Patchstack advisory is the primary confirmed intelligence source.

XSS Enable Media Replace
NVD VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2023-4643 HIGH POC This Week

The Enable Media Replace WordPress plugin before 4.1.3 unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress PHP Enable Media Replace
NVD WPScan
CVSS 3.1
8.8
EPSS
0.8%
CVE-2023-0255 HIGH POC This Week

The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload WordPress PHP Enable Media Replace
NVD WPScan
CVSS 3.1
8.8
EPSS
1.1%
CVE-2022-2554 MEDIUM POC This Month

The Enable Media Replace WordPress plugin before 4.0.0 does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal Enable Media Replace
NVD WPScan
CVSS 3.1
4.9
EPSS
0.8%
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored cross-site scripting in the ShortPixel Enable Media Replace WordPress plugin (all versions through 4.2.1) allows an authenticated attacker with high-level privileges to inject persistent malicious scripts via the media replacement workflow, which then execute in the browser context of any WordPress user who subsequently views the affected content. The scope change confirmed by the CVSS vector (S:C) means a compromised editor-level account could be leveraged to target administrator sessions, enabling privilege escalation within the WordPress admin interface. No public exploit code or CISA KEV listing has been identified at time of analysis; the Patchstack advisory is the primary confirmed intelligence source.

XSS Enable Media Replace
NVD VulDB
EPSS 1% CVSS 8.8
HIGH POC This Week

The Enable Media Replace WordPress plugin before 4.1.3 unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress PHP +1
NVD WPScan
EPSS 1% CVSS 8.8
HIGH POC This Week

The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload WordPress PHP +1
NVD WPScan
EPSS 1% CVSS 4.9
MEDIUM POC This Month

The Enable Media Replace WordPress plugin before 4.0.0 does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal Enable Media Replace
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy