CVE-2026-6549

Vulnerability

Overview The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 0.7.4. The flaw resides in the vc_enamad_namad, vc_enamad_shamed, and vc_enamad_custom shortcodes, where the 'title' attribute is not properly sanitized or escaped before being stored and later rendered. This insufficient input validation allows malicious HTML or JavaScript to be embedded in page content [1].

Exploitation

Conditions An attacker must have at least contributor-level access to the WordPress site to exploit this vulnerability. By crafting a shortcode with a malicious 'title' attribute, the attacker can inject arbitrary web scripts. The injected script will execute whenever any user—including administrators or visitors—accesses the affected page. No additional privileges or network position are required beyond the contributor role [1].

Impact

Successful exploitation enables the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, defacing pages, or performing other client-side attacks. Because the XSS is stored, the payload persists across sessions and can affect multiple users without further interaction from the attacker [1].

Mitigation

Status The plugin has been closed as of May 14, 2026, pending a full review, and is no longer available for download from the WordPress plugin repository. Users are advised to remove the plugin from their installations or replace it with an alternative solution. No patched version has been released [1].