| 插件名稱 | Logo Manager For Enamad |
|---|---|
| 漏洞類型 | 跨站腳本攻擊 (XSS) |
| CVE 編號 | CVE-2026-6549 |
| 緊急程度 | 低 |
| CVE 發布日期 | 2026-05-20 |
| 來源 URL | CVE-2026-6549 |
Authenticated Contributor Stored XSS in Logo Manager For Enamad (<= 0.7.4) — What WordPress Site Owners Must Do Now
Date: 2026-05-19 | Author: Hong Kong Security Expert
TL;DR
A stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-6549) in the WordPress plugin “Logo Manager For Enamad” (versions ≤ 0.7.4) lets an authenticated Contributor inject HTML/JavaScript that can persist and execute when higher-privileged users view the data. CVSS: 6.5. If this plugin is installed, follow the immediate mitigation and remediation steps below. If you cannot update or remove the plugin immediately, consider virtual patching at the perimeter.
Why this matters (short, practical explanation)
Stored XSS is frequently abused on WordPress sites. Practical impact for this issue:
- An authenticated Contributor can inject a malicious script into plugin-managed data (for example, logo meta or description fields).
- The malicious script is stored in the database (stored XSS).
- When an administrator, editor or other privileged user views the infected area, the script executes in their browser.
- Consequences include session theft, forged administrative requests, creation of backdoors, or broader site compromise.
Many sites allow contributor registrations or accept contributor submissions, making this a realistic threat even though the initial attacker must be authenticated.
主要事實
- Affected plugin: Logo Manager For Enamad
- Vulnerable versions: ≤ 0.7.4
- 漏洞類型:儲存型跨站腳本 (XSS)
- 所需權限:貢獻者(已驗證)
- CVE: CVE-2026-6549
- CVSS 基本分數:6.5(中等)
- Patch status: No official patch available at time of public disclosure
- Exploitation complexity: Requires user interaction / privileged user view
