CVE-2023-6737: 
WordPress vulnerability analysis and mitigation

The Enable Media Replace WordPress plugin contains a Reflected Cross-Site Scripting vulnerability (CVE-2023-6737) discovered in versions up to and including 4.1.4. The vulnerability was identified in December 2023 by the Nex Team and is related to insufficient input sanitization and output escaping of the SHORTPIXEL_DEBUG parameter (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 6.1 (MEDIUM) according to NIST, and 4.7 (MEDIUM) according to Wordfence. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. The exploitation requires the attacker to know the ID of an attachment uploaded by the target user (NVD).

A patch has been released to address this vulnerability. Users should update their Enable Media Replace plugin to a version newer than 4.1.4 to mitigate this security risk (WordPress Patch).