CVE-2026-5714
Description
Stored XSS in Enable Media Replace plugin for WordPress via the 'location_dir' parameter, affecting versions up to 4.1.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Enable Media Replace plugin for WordPress via the 'location_dir' parameter, affecting versions up to 4.1.8.
Vulnerability
The Enable Media Replace plugin for WordPress, in all versions up to and including 4.1.8, is vulnerable to Stored Cross-Site Scripting (XSS). This vulnerability exists due to insufficient input sanitization and output escaping in the location_dir parameter. The vulnerability is present in the file UploadViewController.php [1].
Exploitation
An authenticated attacker with at least Author-level access can exploit this vulnerability. The attacker needs to inject arbitrary web scripts into pages. This can be achieved by manipulating the location_dir parameter. When a user accesses a page containing the injected script, it will execute.
Impact
Successful exploitation allows an attacker to inject arbitrary web scripts. These scripts execute in the context of the victim user's browser session, potentially leading to session hijacking, defacement, or further malicious actions depending on the script's payload and the victim's privileges.
Mitigation
This vulnerability was fixed in version 4.1.9 of the Enable Media Replace plugin. Users are strongly advised to update to version 4.1.9 or later to mitigate this risk. No workarounds are available for older versions.
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=4.1.8+ 1 more
- (no CPE)range: <=4.1.8
- (no CPE)range: <=4.1.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient input sanitization and output escaping in the ‘location_dir’ parameter allows for stored cross-site scripting."
Attack vector
An authenticated attacker with Author-level access or higher can exploit this vulnerability. The attacker crafts a malicious input for the ‘location_dir’ parameter, which is then stored by the plugin. When a user accesses a page where this malicious input is rendered, the injected web scripts are executed in their browser.
Affected code
The vulnerability resides in the Enable Media Replace plugin for WordPress. Specifically, the issue is related to how the ‘location_dir’ parameter is handled, as indicated by the code snippet from `screen.php` [ref_id=1]. The lack of sanitization and escaping on this parameter allows for the injection of malicious scripts.
What the fix does
The patch addresses the vulnerability by implementing proper sanitization and escaping for the ‘location_dir’ parameter. This ensures that any user-supplied input intended for this parameter is treated as data and not executable code, preventing the injection of arbitrary web scripts. The fix prevents the stored cross-site scripting by ensuring the input is safely handled before being displayed.
Preconditions
- authAttacker must have at least Author-level access.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.