Enable Media Replace < 4.1.5 – Reflected Cross-Site Scripting | CVE 2023-6737 | Plugin Vulnerabilities

Description

The Enable Media Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the SHORTPIXEL_DEBUG parameter in all versions up to, and including, 4.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploiting this vulnerability requires the attacker to know the ID of an attachment uploaded by the user they are attacking.

Affects Plugins

enable-media-replace

Fixed in 4.1.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c37d8218-6059-46f2-a5d9-d7c22486211e

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Nex Team

Verified

No

WPVDB ID

d7c22e12-5c12-4aa7-8b4a-40eca8075e74

Timeline

Publicly Published

2023-12-18 (about 2 years ago)

Added

2023-12-19 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2024-08-09

Title

Opal Membership <= 1.2.4 - Unauthenticated Stored Cross-Site Scripting

Published

2025-01-10

Title

Tabulate <= 2.10.3 - Reflected XSS

Published

2022-01-11

Title

Adaptive Images < 0.6.69 - Reflected Cross-Site Scripting

Published

2021-12-06

Title

Multivendor Marketplace Solution for WooCommerce < 3.8.4 - Reflected Cross-Site Scripting

Published

2024-08-26

Title

Brickscore <= 1.4.2.5 - Unauthenticated Stored Cross-Site Scripting