Impact
The environment exposes a stored cross‑site scripting flaw in the Enable Media Replace WordPress plugin caused by improper input sanitization. Malicious code injected through the plugin’s media replacement interface can be persisted and executed in the browsers of any user who views the affected page, potentially enabling session hijacking, credential theft, or defacement. The vulnerability relies on client browsers’ rendering of unsanitized input, leading to confidentiality and integrity violations for site visitors.
Affected Systems
ShortPixel’s Enable Media Replace plugin, versions up to and including 4.2.1, is affected. Users of WordPress installations that have the plugin installed and have not upgraded beyond 4.2.1 are at risk.
Risk and Exploitability
The CVSS score of 5.9 indicates a medium‑severity threat. No EPSS score is available, and the vulnerability is not currently listed in the CISA KEV catalog, suggesting limited publicly known exploitation. The likely attack vector is a stored input via the plugin’s media replacement functionality, requiring an authenticated user with permission to replace media to inject malicious payloads.
OpenCVE Enrichment