CVE-2024-5170: 
WordPress vulnerability analysis and mitigation

The Logo Manager For Enamad WordPress plugin through version 0.7.1 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed in September 2024, affecting all versions of the plugin up to and including 0.7.1. The issue exists in the plugin's widgets settings functionality (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping in the plugin's widgets settings. This security flaw allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, which is particularly relevant in multisite setups. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated users with high privileges to store and execute malicious JavaScript code through the plugin's widget settings. When exploited, this could lead to client-side attacks against other users viewing the affected widget settings, potentially compromising their browser sessions (WPScan).

As of the current reporting, there is no known fix available for this vulnerability. Users should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (WPScan).