Description
The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the `vc_enamad_namad`, `vc_enamad_shamed`, and `vc_enamad_custom` shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-20
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Logo Manager For Enamad plugin for WordPress contains a stored cross-site scripting flaw that occurs when the 'title' attribute of the vc_enamad_namad, vc_enamad_shamed, or vc_enamad_custom shortcodes is not properly sanitized. Authenticated users with contributor or higher privileges can insert arbitrary JavaScript into the attribute, causing the script to execute in the browsers of any visitor who loads the affected page. This could allow theft of session cookies, defacement of content, or execution of additional malicious payloads.

Affected Systems

All releases of the Logo Manager For Enamad plugin up to and including version 0.7.4 are affected. The plugin is distributed by the vendor goback2 under the product name 'Logo Manager For Enamad'. Any WordPress site that has installed this plugin and has contributors or higher roles that can edit content containing these shortcodes is at risk.

Risk and Exploitability

The CVSS base score of 6.4 classifies the vulnerability as moderately severe. Because the exploit requires a legitimate contributor account, the attack surface may be limited to sites with many contributors, but the impact to end users can be significant if scripts are injected. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely abused. Nonetheless, organizations should treat it as a priority risk and apply remediation promptly.

Generated by OpenCVE AI on May 20, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Logo Manager For Enamad plugin to the latest available version (>=0.7.5) which contains proper sanitization of the 'title' attribute.
  • If an upgrade is not immediately possible, remove or replace the vulnerable shortcodes from all posts and pages, or revert the 'title' attributes to static text, to eliminate the stored XSS vector.
  • Configure WordPress to restrict contributor users from editing shortcode attributes or enforce a content security policy that blocks inline scripts, thereby reducing the chance of an attacker executing injected code.

Generated by OpenCVE AI on May 20, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Goback2
Goback2 logo Manager For Enamad
Wordpress
Wordpress wordpress
Vendors & Products Goback2
Goback2 logo Manager For Enamad
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the `vc_enamad_namad`, `vc_enamad_shamed`, and `vc_enamad_custom` shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Logo Manager For Enamad <= 0.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Goback2 Logo Manager For Enamad
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T13:02:04.811Z

Reserved: 2026-04-17T19:38:30.331Z

Link: CVE-2026-6549

cve-icon Vulnrichment

Updated: 2026-05-20T13:01:59.280Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T02:16:38.780

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-6549

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:08Z

Weaknesses