The vulnerability is a reflected XSS flaw that arises from improper sanitization of user input before it is echoed back into a web page by the WordPress Enable Media Replace plugin. The flaw allows an attacker to embed arbitrary JavaScript in page content that executes in the browser context of any user who views the affected page, potentially leading to credential theft, session hijacking, or defacement. The weakness is classified as CWE‑79 and the public CVSS score is 7.1, indicating a moderate‑to‑high risk of exploitation.

The affected product is the WordPress Enable Media Replace plugin supplied by ShortPixel, version 4.1.5 or earlier. No other WordPress core or plugin versions are noted as vulnerable.

The EPSS score is less than 1 %, showing a very low but non‑zero chance of exploitation in the wild; the plugin is not listed in the CISA KEV catalog. Attackers would need to trick a victim into visiting a crafted URL or form that contains malicious input, which then is echoed back to the victim’s browser. Because the flaw is reflected, exploitation is possible without user interaction beyond the visit, but it requires the victim to have the plugin active and the affected URL to be accessible. The CVSS base score of 7.1 reflects that impact includes confidentiality, integrity and availability concerns via the victim’s browser session.