| 插件名称 | Logo Manager For Enamad |
|---|---|
| 漏洞类型 | 跨站脚本攻击(XSS) |
| CVE 编号 | CVE-2026-6549 |
| 紧急程度 | 低 |
| CVE 发布日期 | 2026-05-20 |
| 来源网址 | CVE-2026-6549 |
Authenticated Contributor Stored XSS in Logo Manager For Enamad (<= 0.7.4) — What WordPress Site Owners Must Do Now
Date: 2026-05-19 | Author: Hong Kong Security Expert
TL;DR
A stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-6549) in the WordPress plugin “Logo Manager For Enamad” (versions ≤ 0.7.4) lets an authenticated Contributor inject HTML/JavaScript that can persist and execute when higher-privileged users view the data. CVSS: 6.5. If this plugin is installed, follow the immediate mitigation and remediation steps below. If you cannot update or remove the plugin immediately, consider virtual patching at the perimeter.
Why this matters (short, practical explanation)
Stored XSS is frequently abused on WordPress sites. Practical impact for this issue:
- An authenticated Contributor can inject a malicious script into plugin-managed data (for example, logo meta or description fields).
- The malicious script is stored in the database (stored XSS).
- When an administrator, editor or other privileged user views the infected area, the script executes in their browser.
- Consequences include session theft, forged administrative requests, creation of backdoors, or broader site compromise.
Many sites allow contributor registrations or accept contributor submissions, making this a realistic threat even though the initial attacker must be authenticated.
关键事实
- Affected plugin: Logo Manager For Enamad
- Vulnerable versions: ≤ 0.7.4
- 漏洞类型:存储型跨站脚本(XSS)
- 所需权限:贡献者(已认证)
- CVE: CVE-2026-6549
- CVSS 基础分数:6.5(中等)
- Patch status: No official patch available at time of public disclosure
- Exploitation complexity: Requires user interaction / privileged user view
