Vulnerabilities and security researches forenable-media-replace enable-media-replace
Direction: descendingJun 16, 2026
Enable Media Replace # 2071476a-d6de-4035-82e5-a85f73f3e3d3
- CVE, Research URL
- Home page URL
- Application
- Date
- -
- Research Description
- Enable Media Replace [enable-media-replace] < 2.4 Enable Media Replace <= 2.3 - Multiple Vulnerabilities The Enable Media Replace WordPress plugin was affected by a Multiple Vulnerabilities security vulnerability.
- Affected versions
-
max 2.4.
- Status
-
vulnerable
Enable Media Replace # df3e2fab6a5af3b9e0d27a3576fbf0a2a4fd63ea
- CVE, Research URL
- Home page URL
- Application
- Date
- Sep 14, 2023
- Research Description
- Enable Media Replace [enable-media-replace] < 4.1.3 Enable Media Replace <= 4.1.2 - Authenticated(Author+) PHP Object Injection The Enable Media Replace plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.1.2 via deserialization of untrusted input in post content. This allows authenticated attackers with editor capabilities or above to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
- Affected versions
-
max 4.1.3.
- Status
-
vulnerable
Enable Media Replace # f4b1dd6a3e69c6d6edbf516b825332a3724c8798
- CVE, Research URL
- Home page URL
- Application
- Date
- Sep 15, 2023
- Research Description
- Enable Media Replace [enable-media-replace] < 4.1.3 WordPress Enable Media Replace Plugin < 4.1.3 is vulnerable to PHP Object Injection Update the WordPress Enable Media Replace plugin to the latest available version (at least 4.1.3). Unknown discovered and reported this PHP Object Injection vulnerability in WordPress Enable Media Replace Plugin. This could allow a malicious actor to execute code injection, SQL injection, path traversal, denial of service, and more if a proper POP chain is present. This vulnerability has been fixed in version 4.1.3.
- Affected versions
-
max 4.1.3.
- Status
-
vulnerable
Jun 09, 2026
Enable Media Replace # CVE-2026-5714
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 09, 2026
- Research Description
- The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘location_dir’ parameter in all versions up to, and including, 4.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 4.1.9.
- Status
-
vulnerable
May 26, 2026
Enable Media Replace # PSC-2026-64661
- PSC, Research URL
- Home page URL
- Application
- Date
- May 26, 2026
- Research Description
- Media replacement plugins work directly with the WordPress upload directory, attachment records, file names, MIME types, and references embedded across posts and pages. That makes them operationally useful, but also security-sensitive: insufficient checks can lead to arbitrary file upload, unauthorized file overwrite, path manipulation, or integrity damage to existing content. Enable Media Replace version 4.1.9 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64661, confirming that the plugin was reviewed from a secure code perspective with attention to common exploitation paths for media management and file replacement plugins.
- Affected versions
-
Min 4.1.9, max 4.1.9.
- Status
-
SAFE & CERTIFIED
Apr 14, 2026
Enable Media Replace # CVE-2026-2732
- CVE, Research URL
- Home page URL
- Application
- Date
- Mar 04, 2026
- Research Description
- The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all versions up to, and including, 4.1.7. This makes it possible for authenticated attackers, with Author-level access and above, to replace any attachment with a removed background attachment.
- Affected versions
-
max 4.1.8.
- Status
-
vulnerable
Dec 10, 2025
Enable Media Replace # CVE-2025-9496
- CVE, Research URL
- Home page URL
- Application
- Date
- Oct 11, 2025
- Research Description
- The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file_modified shortcode in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 4.1.7.
- Status
-
vulnerable
Apr 02, 2025
Enable Media Replace # CVE-2025-31081
- CVE, Research URL
- Home page URL
- Application
- Date
- Apr 02, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShortPixel Enable Media Replace enable-media-replace allows Reflected XSS.This issue affects Enable Media Replace: from n/a through <= 4.1.5.
- Affected versions
-
max 4.1.6.
- Status
-
vulnerable
Jun 06, 2024
Enable Media Replace # CVE-2023-0255
- CVE, Research URL
- Home page URL
- Application
- Date
- Feb 13, 2023
- Research Description
- The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
- Affected versions
-
max 4.0.2.
- Status
-
vulnerable
Enable Media Replace # CVE-2023-6737
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 11, 2024
- Research Description
- The Enable Media Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the SHORTPIXEL_DEBUG parameter in all versions up to, and including, 4.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploiting this vulnerability requires the attacker to know the ID of an attachment uploaded by the user they are attacking.
- Affected versions
-
max 4.1.5.
- Status
-
vulnerable
Enable Media Replace # 998cd782c633045e5da1cdac6b7b7cd2ce8eb0d2
- CVE, Research URL
- Home page URL
- Application
- Date
- Feb 09, 2011
- Research Description
- Enable Media Replace [enable-media-replace] < 2.4 WordPress Enable Media Replace Plugin - Multiple Vulnerabilities In general, impact of this plugin is information retrieval and manipulation, arbitrary code execution. More details: there exist multiple vulnerabilities in Enable Media Replace plugin for WordPress: 1. Users can perform SQL injection attacks against the plugin. 2. Users can upload arbitrary files (for the example, PHP files) to retrieve or change important information in the SQL database.
- Affected versions
-
max 2.4.
- Status
-
vulnerable
Enable Media Replace # CVE-2022-2554
- CVE, Research URL
- Home page URL
- Application
- Date
- Oct 11, 2022
- Research Description
- The Enable Media Replace WordPress plugin before 4.0.0 does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to the web root directory via a path traversal attack for example
- Affected versions
-
max 4.0.0.
- Status
-
vulnerable
Enable Media Replace # CVE-2023-4643
- CVE, Research URL
- Home page URL
- Application
- Date
- Oct 17, 2023
- Research Description
- The Enable Media Replace WordPress plugin before 4.1.3 unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog
- Affected versions
-
max 4.1.3.
- Status
-
vulnerable