WP-Safety

Enable Media Replace Security & Risk Analysis

wordpress.org/plugins/enable-media-replace

Easily replace any attached image/file by simply uploading a new file in the Media Library edit view - a real time saver!

600K active installs v4.1.8 PHP 5.6+ WP 4.9.7+ Updated Mar 3, 2026
change-mediaremove-backgroundreplacereplace-imagereplace-jpg
92
A · Safe
CVEs total7
Unpatched0
Last CVEMar 3, 2026
Plugin page Download
Safety Verdict

Is Enable Media Replace Safe to Use in 2026?

Generally Safe

Score 92/100

Enable Media Replace has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Mar 3, 2026Updated 1mo ago
Risk Assessment

The enable-media-replace plugin v4.1.8 presents a mixed security posture. While it demonstrates good practices in areas like using prepared statements for all SQL queries and implementing a reasonable number of capability checks, there are significant concerns that necessitate caution.

The static analysis reveals a limited attack surface, with no unprotected entry points detected. However, the presence of a taint flow with unsanitized paths is a red flag, indicating a potential for path traversal or similar vulnerabilities, even if no critical or high-severity taint issues were found in this specific analysis. The output escaping is also a concern, with over half of outputs not being properly escaped, leaving the plugin vulnerable to cross-site scripting (XSS) attacks.

The vulnerability history is a major concern, with a substantial number of known CVEs. The prevalence of vulnerabilities such as Missing Authorization, XSS, Path Traversal, and Unrestricted Uploads suggests recurring security flaws in the plugin's development. While there are currently no unpatched CVEs for this version, the sheer volume and nature of past vulnerabilities indicate a history of security weaknesses. This, combined with the static analysis findings, suggests that while the plugin might have been improved, its past record warrants careful scrutiny and prompt updates.

Key Concerns

  • High percentage of unescaped outputs
  • Flow with unsanitized paths found
  • Significant history of past vulnerabilities (7 CVEs)
  • Past vulnerabilities include critical types (XSS, Path Traversal)
Vulnerabilities
7

Enable Media Replace Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
3 CVEs in 2023
2023
2 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
6

7 total CVEs

CVE-2026-2732medium · 5.4Missing Authorization

Enable Media Replace <= 4.1.7 - Improper Authorization to Authenticated (Author+) Arbitrary Attachment Change via Background Replace

Mar 3, 2026 Patched in 4.1.8 (1d)
CVE-2025-9496medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Enable Media Replace <= 4.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via file_modified Shortcode

Oct 10, 2025 Patched in 4.1.7 (1d)
CVE-2025-31081medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Enable Media Replace <= 4.1.5 - Reflected Cross-Site Scripting

Apr 1, 2025 Patched in 4.1.6 (9d)
CVE-2023-6737medium · 4.7Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Enable Media Replace <= 4.1.4 - Reflected Cross-Site Scripting

Dec 18, 2023 Patched in 4.1.5 (225d)
CVE-2023-4643medium · 6.6Deserialization of Untrusted Data

Enable Media Replace <= 4.1.2 - Authenticated(Author+) PHP Object Injection

Sep 14, 2023 Patched in 4.1.3 (131d)
CVE-2023-0255high · 8.8Unrestricted Upload of File with Dangerous Type

Enable Media Replace <= 4.0.1 - Authenticated (Author+) Arbitrary File Upload

Jan 17, 2023 Patched in 4.0.2 (371d)
CVE-2022-2554medium · 6.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Enable Media Replace <= 3.6.3 - Authenticated (Administrator+) Path Traversal

Sep 14, 2022 Patched in 4.0.0 (496d)
Code Analysis
Analyzed Mar 16, 2026

Enable Media Replace Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
4 prepared
Unescaped Output
53
60 escaped
Nonce Checks
3
Capability Checks
13
File Operations
2
External Requests
1
Bundled Libraries
0

SQL Query Safety

100% prepared4 total queries

Output Escaping

53% escaped113 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths
<do-replace-background> (views\do-replace-background.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Enable Media Replace Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[file_modified] classes\emr-plugin.php:127
WordPress Hooks 16
actioninitclasses\emr-plugin.php:24
actionadmin_initclasses\emr-plugin.php:26
actionadmin_menuclasses\emr-plugin.php:140
actionsubmenu_fileclasses\emr-plugin.php:141
actioncurrent_screenclasses\emr-plugin.php:143
actionadmin_enqueue_scriptsclasses\emr-plugin.php:144
filtermedia_row_actionsclasses\emr-plugin.php:148
actionattachment_submitbox_misc_actionsclasses\emr-plugin.php:149
actionadd_meta_boxes_attachmentclasses\emr-plugin.php:155
filterattachment_fields_to_editclasses\emr-plugin.php:156
filterwp_get_attachment_image_srcclasses\emr-plugin.php:160
filterpostbox_classes_attachment_emr-showthumbs-boxclasses\emr-plugin.php:164
actionadmin_noticesclasses\emr-plugin.php:215
filteremr_display_replace_type_optionsclasses\externals.php:22
filteremr_enable_replace_and_searchclasses\externals.php:23
actionemr_after_replace_type_optionsclasses\externals.php:24
Maintenance & Trust

Enable Media Replace Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 3, 2026
PHP min version5.6
Downloads12.5M

Community Trust

Rating88/100
Number of ratings300
Active installs600K
Alternatives

Enable Media Replace Alternatives

Easy Media Replace

Easy Media Replace

easy-media-replace

B
84

Replace Images and Media Files in WordPress Easily and Quickly.

1K 1 CVE
Image Editor by Pixo

Image Editor by Pixo

image-editor-by-pixo

B
77

Replaces the default image editor in wp-admin with more powerful one - Pixo. It can also be used in the front-end.

800 1 unpatched
Easy Replace Image

Easy Replace Image

easy-replace-image

A
98

Replace easily an attachment file by uploading another file or by downloading one from an URL, without deleting the attachment.

500 2 CVEs
Devenia Replace Media

Devenia Replace Media

devenia-replace-media

A
100

Replace media files while keeping the same URL. Works in Media Library, Elementor, and more.

10 No CVEs
Better Search Replace

Better Search Replace

better-search-replace

A
98

A simple plugin to update URLs or other text in a database.

1.0M 2 CVEs
Developer Profile

Enable Media Replace Developer Profile

ShortPixel

8 plugins · 1.2M total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
239 days
View full developer profile
Detection Fingerprints

How We Detect Enable Media Replace

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/enable-media-replace/build/shortpixel/assets/css/emr-admin.css/wp-content/plugins/enable-media-replace/build/shortpixel/assets/js/emr-admin.js
Script Paths
/wp-content/plugins/enable-media-replace/build/shortpixel/assets/js/emr-admin.js
Version Parameters
/wp-content/plugins/enable-media-replace/build/shortpixel/assets/css/emr-admin.css?ver=/wp-content/plugins/enable-media-replace/build/shortpixel/assets/js/emr-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
emr-replace-media-admin-wrap
HTML Comments
<!-- emr_placeholder -->
Data Attributes
data-emr-attachment-iddata-emr-replace-nonce
JS Globals
emr_admin_data
REST Endpoints
/wp-json/emr/v1/replace_media
FAQ

Frequently Asked Questions about Enable Media Replace