Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Afzal Multani WP Logo Changer am-login-logo allows Stored XSS.This issue affects WP Logo Changer: from n/a through <= 1.2.
Published: 2025-11-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Logo Changer plugin contains an Improper Neutralization of Input During Web Page Generation vulnerability, which allows attackers to store malicious JavaScript code. When site visitors load a page that includes the stored data, the injected script executes in their browsers, enabling credential theft, defacement, or other malicious actions. The flaw is a classic stored XSS and is classified as CWE‑79.

Affected Systems

WordPress sites that have installed the WP Logo Changer plugin version 1.2 or earlier, specifically the am‑login‑logo plugin by Afzal Multani. No later versions are known to be affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact potential; however, the EPSS of less than 1% shows that it is currently rarely exploited in the wild, and the vulnerability is not listed in CISA's KEV catalog. Attackers would need to inject malicious content into the plugin's configuration—typically an administrator or user with permission to modify the logo settings. Once stored, any visitor to the affected page would run the script. Given the low exploitation probability but significant potential damage, prompt remediation is advised.

Generated by OpenCVE AI on April 30, 2026 at 05:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Remove or disable the WP Logo Changer plugin until an updated version is released
  • Upgrade the plugin to a version newer than 1.2 that contains the XSS fix
  • Restrict access to the plugin configuration interface to trusted administrators only and ensure any custom logo input is sanitized or escaped before rendering

Generated by OpenCVE AI on April 30, 2026 at 05:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 10 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Afzal Multani WP Logo Changer am-login-logo allows Stored XSS.This issue affects WP Logo Changer: from n/a through <= 1.2.
Title WordPress WP Logo Changer Plugin <= 1.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:21.814Z

Reserved: 2025-06-27T10:28:19.988Z

Link: CVE-2025-53245

cve-icon Vulnrichment

Updated: 2025-11-10T19:30:08.211Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:15:55.637

Modified: 2026-04-27T18:16:21.067

Link: CVE-2025-53245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:15:28Z

Weaknesses