| Plugin Name | Logo Manager For Enamad |
|---|---|
| Type of Vulnerability | Cross-Site Scripting (XSS) |
| CVE Number | CVE-2026-6549 |
| Urgency | Low |
| CVE Publish Date | 2026-05-20 |
| Source URL | CVE-2026-6549 |
Authenticated Contributor Stored XSS in Logo Manager For Enamad (<= 0.7.4) — What WordPress Site Owners Must Do Now
Date: 2026-05-19 | Author: Hong Kong Security Expert
TL;DR
A stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-6549) in the WordPress plugin “Logo Manager For Enamad” (versions ≤ 0.7.4) lets an authenticated Contributor inject HTML/JavaScript that can persist and execute when higher-privileged users view the data. CVSS: 6.5. If this plugin is installed, follow the immediate mitigation and remediation steps below. If you cannot update or remove the plugin immediately, consider virtual patching at the perimeter.
Why this matters (short, practical explanation)
Stored XSS is frequently abused on WordPress sites. Practical impact for this issue:
- An authenticated Contributor can inject a malicious script into plugin-managed data (for example, logo meta or description fields).
- The malicious script is stored in the database (stored XSS).
- When an administrator, editor or other privileged user views the infected area, the script executes in their browser.
- Consequences include session theft, forged administrative requests, creation of backdoors, or broader site compromise.
Many sites allow contributor registrations or accept contributor submissions, making this a realistic threat even though the initial attacker must be authenticated.
Key facts
- Affected plugin: Logo Manager For Enamad
- Vulnerable versions: ≤ 0.7.4
- Vulnerability type: Stored Cross-Site Scripting (XSS)
- Required privilege: Contributor (authenticated)
- CVE: CVE-2026-6549
- CVSS base score: 6.5 (Medium)
- Patch status: No official patch available at time of public disclosure
- Exploitation complexity: Requires user interaction / privileged user view
