{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2732", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-19T06:33:05.462Z", "datePublished": "2026-03-04T06:26:53.170Z", "dateUpdated": "2026-04-08T16:43:53.355Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:53.355Z"}, "affected": [{"vendor": "shortpixel", "product": "Enable Media Replace", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all versions up to, and including, 4.1.7. This makes it possible for authenticated attackers, with Author-level access and above, to replace any attachment with a removed background attachment."}], "title": "Enable Media Replace <= 4.1.7 - Improper Authorization to Authenticated (Author+) Arbitrary Attachment Change via Background Replace", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c5f2dc8-67f7-4dbf-8631-f434522f1b53?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/enable-media-replace/tags/4.1.7/classes/ViewController/RemoveBackgroundViewController.php#L35"}, {"url": "https://plugins.trac.wordpress.org/browser/enable-media-replace/tags/4.1.7/classes/ViewController/RemoveBackgroundViewController.php#L68"}, {"url": "https://github.com/short-pixel-optimizer/enable-media-replace/commit/8ca282e68e5fcf8a8e4cecc1f0ab192c42b1dc66"}, {"url": "https://plugins.trac.wordpress.org/changeset/3473504/enable-media-replace#file26"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Or Benit"}], "timeline": [{"time": "2026-02-19T06:51:10.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-03T18:17:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T15:03:15.412334Z", "id": "CVE-2026-2732", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T15:03:24.405Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2732", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T15:03:15.412334Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T15:03:18.652Z"}}], "cna": {"title": "Enable Media Replace <= 4.1.7 - Improper Authorization to Authenticated (Author+) Arbitrary Attachment Change via Background Replace", "credits": [{"lang": "en", "type": "finder", "value": "Or Benit"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "shortpixel", "product": "Enable Media Replace", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-19T06:51:10.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-03T18:17:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c5f2dc8-67f7-4dbf-8631-f434522f1b53?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/enable-media-replace/tags/4.1.7/classes/ViewController/RemoveBackgroundViewController.php#L35"}, {"url": "https://plugins.trac.wordpress.org/browser/enable-media-replace/tags/4.1.7/classes/ViewController/RemoveBackgroundViewController.php#L68"}, {"url": "https://github.com/short-pixel-optimizer/enable-media-replace/commit/8ca282e68e5fcf8a8e4cecc1f0ab192c42b1dc66"}, {"url": "https://plugins.trac.wordpress.org/changeset/3473504/enable-media-replace#file26"}], "descriptions": [{"lang": "en", "value": "The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all versions up to, and including, 4.1.7. This makes it possible for authenticated attackers, with Author-level access and above, to replace any attachment with a removed background attachment."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:53.355Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2732", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:43:53.355Z", "dateReserved": "2026-02-19T06:33:05.462Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-04T06:26:53.170Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all versions up to, and including, 4.1.7. This makes it possible for authenticated attackers, with Author-level access and above, to replace any attachment with a removed background attachment."}, {"lang": "es", "value": "El plugin Enable Media Replace para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una verificaci\u00f3n de capacidad inadecuada en la funci\u00f3n 'RemoveBackGroundViewController::load' en todas las versiones hasta la 4.1.7, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Autor o superior, reemplacen cualquier archivo adjunto con un archivo adjunto con el fondo eliminado."}], "id": "CVE-2026-2732", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-04T07:16:14.577", "references": [{"source": "security@wordfence.com", "url": "https://github.com/short-pixel-optimizer/enable-media-replace/commit/8ca282e68e5fcf8a8e4cecc1f0ab192c42b1dc66"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/enable-media-replace/tags/4.1.7/classes/ViewController/RemoveBackgroundViewController.php#L35"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/enable-media-replace/tags/4.1.7/classes/ViewController/RemoveBackgroundViewController.php#L68"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3473504/enable-media-replace#file26"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c5f2dc8-67f7-4dbf-8631-f434522f1b53?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Enable Media Replace", "source": "cna", "vendor": "shortpixel"}, "product": "enable_media_replace", "vendor": "shortpixel"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:04:34.231164+00:00", "value": {"mitigation_remediation": ["Update the Enable Media Replace plugin to the latest released version which removes the improper capability check.", "If an immediate update is not feasible, disable the background replacement feature in the plugin\u2019s settings to prevent the function from being invoked by any user.", "Monitor attachment changes in the media library for unexpected replacements or modifications, and audit users with Author or higher roles for suspicious activity."], "summary": {"action": "Patch", "impact": "Improper Authorization allowing an authenticated Author or higher to arbitrarily replace media attachments with versions that have their background removed"}, "threat_synthesis": {"affected_systems": "All installations of the Enable Media Replace WordPress plugin from shortpixel that are at version 4.1.7 or earlier are affected. The plugin is commonly used on WordPress sites that manage media libraries and provide background removal features.", "description_and_impact": "The Enable Media Replace plugin suffers from an improper capability check in the RemoveBackGroundViewController::load function. Because of this flaw, an authenticated user with Author level access or higher can invoke the background replacement routine on any attachment, resulting in the original media file being overwritten with a background\u2011removed variant. This allows a legitimate contributor or attacker to modify or destroy content that they should not be able to alter, potentially causing integrity violations and loss of media assets.", "risk_and_exploitability": "The flaw is rated with a CVSS score of 5.4, indicating moderate severity. The EPSS score is less than 1%, suggesting a very low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session with Author or higher capabilities; unauthenticated attackers cannot trigger the vulnerability. Therefore, the attack vector is credential\u2011based, with the potential impact limited to the scope of the attacker\u2019s privileges but still allowing significant content tampering."}}}}, "created": "2026-03-04T14:53:15.607841+00:00", "updated": "2026-04-15T20:15:13.710194+00:00", "vendors": ["shortpixel", "shortpixel$PRODUCT$enable_media_replace", "wordpress", "wordpress$PRODUCT$wordpress"]}