Plugin inspection:

Enable Media Replace

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.


This recommendation applies to version 2.9.4 of this plugin, but the most recent version is 3.0.3. These findings may no longer be correct.


  • SQL is not escaped (upload.php, lines 131, 141, 148, 156), probably only exploitable by an admin
  • Uses mysql_* functions instead of $wpdb
  • Note that it adds nonce values as URL parameters instead of as hidden fields in the forms

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

May contain SQL injection vulnerabilities, probably only exploitable by admin users.

Failure criteria

  • Execution of unprepared SQL statements
  • Failure to use available core functionality

Read more about our failure criteria.