CVE-2025-9496: 
WordPress vulnerability analysis and mitigation

The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the plugin's file_modified shortcode in versions up to and including 4.1.6. The vulnerability was discovered and responsibly disclosed by the Wordfence team, and was patched in version 4.1.7 released on October 2, 2025 (NVD, Rapid7).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the file_modified shortcode. This security flaw allows authenticated users with contributor-level access or higher to inject arbitrary web scripts into pages. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When successfully exploited, this vulnerability allows authenticated attackers to inject malicious scripts that execute in visitors' browsers when they access the affected pages. This could lead to various attacks including cookie theft, session hijacking, or other client-side attacks against site visitors (Rapid7).

The recommended mitigation is to update the Enable Media Replace plugin to version 4.1.7 or later, which contains the security patch. The update was released on October 2, 2025, and includes fixes for the XSS vulnerability along with some text typo corrections (WordPress Plugin).