Enable Media Replace < 4.1.3 - Author+ PHP Object Injection
CVE-2023-4643

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Enable Media Replace
Vendor: CVE Published:; 16 October 2023

Summary

The Enable Media Replace plugin for WordPress prior to version 4.1.3 is vulnerable due to improper handling of user input through the Remove Background feature. An attacker with Author+ privileges can exploit this vulnerability to perform PHP Object Injection if a suitable gadget exists within the blog environment, potentially compromising the site's security.

Affected Version(s)

Enable Media Replace 0 < 4.1.3

References

https://wpscan.com/vulnerability/d9125604-2236-435c-a67c-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 16, 2023
Vulnerability Reserved
Aug 30, 2023

Credit

Jonatas Souza Villa Flor

WPScan