CVE-2025-57998

The E-namad & Shamed Logo Manager plugin for WordPress versions up to and including 2.2 suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows attackers to inject arbitrary HTML and JavaScript code that will be stored on the server and executed when users access the affected page.

Exploitation requires a user with administrative privileges to perform an action, such as clicking a malicious link or visiting a crafted page [1]. However, once the script is injected, any visitor to the site, including non-authenticated users, will have the script executed in their browser.

The impact includes potential redirects to malicious sites, display of unwanted advertisements, theft of session cookies, or defacement of the website [1]. This vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites, regardless of their size or popularity [1].

As an immediate mitigation, it is recommended to update the plugin to a version newer than 2.2 [1]. If updating is not possible, site administrators should contact their hosting provider or a web developer for assistance.