Enable Media Replace Vulnerability – Reflected Cross-Site Scripting – CVE-2023-6737 | WordPress Plugin Vulnerability Report
Plugin Name: Enable Media Replace
Key Information:
- Software Type: Plugin
- Software Slug: enable-media-replace
- Software Status: Active
- Software Author: shortpixel
- Software Downloads: 10,049,054
- Active Installs: 600,000
- Last Updated: December 18, 2023
- Patched Versions: 4.1.5
- Affected Versions: <= 4.1.4
Vulnerability Details:
- Name: Enable Media Replace <= 4.1.4 - Reflected Cross-Site Scripting
- Title: Reflected Cross-Site Scripting
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2023-6737
- CVSS Score: 4.7 (Medium)
- Publicly Published: December 18, 2023
- Researcher: Nex Team
- Description: The Enable Media Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the SHORTPIXEL_DEBUG parameter in all versions up to, and including, 4.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploiting this vulnerability requires the attacker to know the ID of an attachment uploaded by the user they are attacking.
Summary:
The Enable Media Replace for WordPress has a vulnerability in versions up to and including 4.1.4 that allows for Reflected Cross-Site Scripting. This vulnerability has been patched in version 4.1.5.
Detailed Overview:
The researcher Nex Team discovered a reflected cross-site scripting vulnerability in the Enable Media Replace plugin. This is caused by insufficient sanitization of the SHORTPIXEL_DEBUG parameter, allowing unauthenticated attackers to inject arbitrary JavaScript if they can trick a user into clicking a crafted link. The attacker would need to know the ID of an attachment uploaded by the target user to exploit this. This impacts all versions up to and including 4.1.4. Users should update to version 4.1.5 or later to mitigate this vulnerability.
Advice for Users:
- Immediate Action: Update to version 4.1.5 or later
- Check for Signs of Vulnerability: Review site access and error logs for any suspicious activity
- Alternate Plugins: Consider alternative plugins like Enable Media Replace By MASHS
- Stay Updated: Enable auto-updates for plugins to receive security fixes
Conclusion:
The prompt release of version 4.1.5 by the developers addresses this vulnerability. Users should ensure they are running this latest version or later to secure their WordPress sites.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/enable-media-replace
Detailed Report:
Keeping your WordPress website secure should be a top priority – outdated plugins and themes open the door for attackers to compromise your site. Unfortunately, the popular Enable Media Replace plugin has a newly disclosed vulnerability that puts over 600,000 websites at risk.
Enable Media Replace is an extremely popular plugin, active on 600,000 sites and downloaded over 10 million times. It allows you to replace media files like images by uploading a new file in the same location, without losing the URLs or embedding in posts. For busy site owners, this functionality makes managing media far easier.
The critical vulnerability (CVE-2023-6737) impacts all versions up to and including 4.1.4. It allows for reflected cross-site scripting through improper input sanitization and output escaping of the SHORTPIXEL_DEBUG parameter. In simpler terms, this means attackers could inject malicious JavaScript into vulnerable websites to steal user data, spread malware, redirect visitors, or carry out other nefarious actions – all by tricking someone into clicking a link.
The risks here include data theft, malware infection, fake messages or popup ads, denial of service attacks, SEO impacts, and blacklisting by sites like Google. The attackers need to know the ID of an uploaded attachment to exploit this, but that is feasible for legit users of a site.
To remediate, you must upgrade immediately to version 4.1.5 or newer. Auto-update should have applied this fix already but double check your plugins page just in case. There have been 3 other vulnerabilities in Enable Media Replace since September 2022, underscoring the risks of outdated plugins.
As a small business owner without endless time to keep track of vulnerabilities like this, what can you do? Here are three tips:
- Consider an alternative plugin such as Enable Media Replace By MASHS. It offers similar functionality with potentially better security.
- Install a security plugin like Wordfence to automatically block exploitation attempts, monitor file changes, and alert you to issues.
- Work with a managed WordPress provider who can apply real-time updates and security hardening on the back end so you don't have to worry.
Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.
Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.