Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Enable Media Replace plugin: Unauthorized file tampering by attackers with Author access
CVE-2026-2732
Summary
The Enable Media Replace plugin for WordPress is vulnerable to malicious file changes. Attackers with Author-level access and above can replace any attachment with a removed background attachment. Update to the latest version of the plugin to fix this issue.
Original title
The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all ve...
Original description
The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all versions up to, and including, 4.1.7. This makes it possible for authenticated attackers, with Author-level access and above, to replace any attachment with a removed background attachment.
nvd CVSS3.1
5.4
Vulnerability type
CWE-862
Missing Authorization
- https://github.com/short-pixel-optimizer/enable-media-replace/commit/8ca282e68e5...
- https://plugins.trac.wordpress.org/browser/enable-media-replace/tags/4.1.7/class...
- https://plugins.trac.wordpress.org/browser/enable-media-replace/tags/4.1.7/class...
- https://plugins.trac.wordpress.org/changeset/3473504/enable-media-replace#file26
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2c5f2dc8-67f7-4dbf-863...
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026