CVE-2026-6549 goback2 CVE debrief

Who should care

WordPress site administrators using the Logo Manager For Enamad plugin; security teams managing WordPress content management systems; developers maintaining plugins with shortcode functionality

Technical summary

The Logo Manager For Enamad plugin fails to sanitize and escape the 'title' attribute in its Visual Composer shortcodes (vc_enamad_namad, vc_enamad_shamed, vc_enamad_custom). This allows authenticated users with contributor privileges or higher to supply malicious JavaScript payloads that persist in post content and execute in victims' browsers. The vulnerability is classified as stored XSS (CWE-79) with network attack vector, low attack complexity, low privileges required, no user interaction needed, and changed scope impact.

Defensive priority

medium

Recommended defensive actions

• Update the Logo Manager For Enamad plugin to a version newer than 0.7.4 if available, or remove the plugin if updates are not forthcoming
• Review existing posts and pages for suspicious shortcode usage, particularly examining the 'title' attribute in vc_enamad_namad, vc_enamad_shamed, and vc_enamad_custom shortcodes
• Implement Content Security Policy headers to mitigate impact of any unpatched XSS vectors
• Restrict contributor and author role assignments to trusted users only, as these roles can exploit this vulnerability
• Consider using a Web Application Firewall with XSS filtering rules as a compensating control until patching is complete

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository source code references. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as the underlying weakness. Affected code locations identified in widgets.php at line 295 in both tagged version 0.7.4 and trunk.

Official resources