| Nombre del plugin | Logo Manager For Enamad |
|---|---|
| Tipo de vulnerabilidad | Scripting entre sitios (XSS) |
| Número CVE | CVE-2026-6549 |
| Urgencia | Baja |
| Fecha de publicación de CVE | 2026-05-20 |
| URL de origen | CVE-2026-6549 |
Authenticated Contributor Stored XSS in Logo Manager For Enamad (<= 0.7.4) — What WordPress Site Owners Must Do Now
Date: 2026-05-19 | Author: Hong Kong Security Expert
TL;DR
A stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-6549) in the WordPress plugin “Logo Manager For Enamad” (versions ≤ 0.7.4) lets an authenticated Contributor inject HTML/JavaScript that can persist and execute when higher-privileged users view the data. CVSS: 6.5. If this plugin is installed, follow the immediate mitigation and remediation steps below. If you cannot update or remove the plugin immediately, consider virtual patching at the perimeter.
Why this matters (short, practical explanation)
Stored XSS is frequently abused on WordPress sites. Practical impact for this issue:
- An authenticated Contributor can inject a malicious script into plugin-managed data (for example, logo meta or description fields).
- The malicious script is stored in the database (stored XSS).
- When an administrator, editor or other privileged user views the infected area, the script executes in their browser.
- Consequences include session theft, forged administrative requests, creation of backdoors, or broader site compromise.
Many sites allow contributor registrations or accept contributor submissions, making this a realistic threat even though the initial attacker must be authenticated.
Datos clave
- Affected plugin: Logo Manager For Enamad
- Vulnerable versions: ≤ 0.7.4
- Tipo de vulnerabilidad: Cross-Site Scripting almacenado (XSS)
- Privilegio requerido: Contribuyente (autenticado)
- CVE: CVE-2026-6549
- Puntuación base CVSS: 6.5 (Media)
- Patch status: No official patch available at time of public disclosure
- Exploitation complexity: Requires user interaction / privileged user view
