CVE-2026-2732

CWE-862 — Missing Authorization4 documents4 sources

Severity

5.4MEDIUM

EPSS

0.0%

top 84.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shortpixel Enable Media Replace

Timeline

PublishedMar 4

Description

The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all versions up to, and including, 4.1.7. This makes it possible for authenticated attackers, with Author-level access and above, to replace any attachment with a removed background attachment.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages1 packages

▶CVEListV5shortpixel/enable_media_replace4.1.7

🔴Vulnerability Details

CVEList

Enable Media Replace <= 4.1.7 - Improper Authorization to Authenticated (Author+) Arbitrary Attachment Change via Background Replace↗2026-03-04

▶

GHSA

GHSA-jw7h-j47j-qm3h: The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBac↗2026-03-04

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2732 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶