CVE-2025-9496
BaseFortify
Publication date: 2025-10-11
Last updated on: 2025-10-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shortpixel | enable_media_replace | 4.1.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9496 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Enable Media Replace, affecting all versions up to and including 4.1.6. It occurs because the plugin's file_modified shortcode does not properly sanitize and escape user-supplied attributes. This allows authenticated users with contributor-level access or higher to inject malicious scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising user data or site security. [2, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with contributor-level access or higher to inject arbitrary malicious scripts into the website. When other users visit the affected pages, these scripts execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of users. This can compromise the security and integrity of the website and its users. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Enable Media Replace WordPress plugin is installed and running a vulnerable version (up to and including 4.1.6). Since the vulnerability is a Stored Cross-Site Scripting (XSS) via the plugin's file_modified shortcode, detection can include scanning for usage of this shortcode with unsanitized user inputs in WordPress pages. Additionally, monitoring HTTP requests for suspicious scripts injected via media replacement operations by authenticated users with contributor-level access or higher can help. Specific commands are not provided in the resources, but general steps include checking the plugin version via WordPress admin or command line (e.g., WP-CLI: `wp plugin list`), and scanning site content for the shortcode usage with potentially malicious scripts. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Enable Media Replace plugin to version 4.1.7 or later, which contains the security patch fixing the Stored Cross-Site Scripting vulnerability. This update includes improved input sanitization and validation to prevent malicious script injection. Additionally, ensure that only trusted users with appropriate permissions (contributor-level and above) have access to media replacement features. If updating immediately is not possible, consider disabling or restricting the plugin's media replacement functionality temporarily to reduce risk. [2, 3]