VYPR

Enable Media Replace

by WordPress

Source repositories

CVEs (7)

  • CVE-2023-4643HigOct 16, 2023
    risk 0.57cvss 8.8epss 0.01

    The Enable Media Replace WordPress plugin before 4.1.3 unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog

  • CVE-2023-0255HigFeb 13, 2023
    risk 0.57cvss 8.8epss 0.01

    The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.

  • CVE-2026-5714MedJun 9, 2026
    risk 0.42cvss 6.4epss 0.00

    The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘location_dir’ parameter in all versions up to, and including, 4.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…

  • CVE-2025-31081HigApr 1, 2025
    risk 0.39cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShortPixel Enable Media Replace enable-media-replace allows Reflected XSS.This issue affects Enable Media Replace: from n/a through <= 4.1.5.

  • CVE-2025-9496MedOct 11, 2025
    risk 0.35cvss 6.4epss 0.00

    The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file_modified shortcode in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…

  • CVE-2022-2554MedOct 10, 2022
    risk 0.32cvss 4.9epss 0.01

    The Enable Media Replace WordPress plugin before 4.0.0 does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to the web root directory via a path traversal attack for example

  • CVE-2023-6737MedJan 11, 2024
    risk 0.31cvss 4.7epss 0.00

    The Enable Media Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the SHORTPIXEL_DEBUG parameter in all versions up to, and including, 4.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated…