{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2499", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-13T21:45:14.383Z", "datePublished": "2026-02-26T01:24:15.718Z", "dateUpdated": "2026-04-08T17:09:26.381Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:26.381Z"}, "affected": [{"vendor": "tgrk", "product": "Custom Logo", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Custom Logo <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Logo Path Setting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92705581-9a0d-4d23-9118-fec9100e4ce1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-logo/trunk/custom-logo.php#L18"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-logo/tags/2.2/custom-logo.php#L18"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-02-25T12:48:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T15:08:12.583568Z", "id": "CVE-2026-2499", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:10:28.820Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2499", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T15:08:12.583568Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:08:51.119Z"}}], "cna": {"title": "Custom Logo <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Logo Path Setting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "tgrk", "product": "Custom Logo", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-25T12:48:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92705581-9a0d-4d23-9118-fec9100e4ce1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-logo/trunk/custom-logo.php#L18"}, {"url": "https://plugins.trac.wordpress.org/browser/custom-logo/tags/2.2/custom-logo.php#L18"}], "descriptions": [{"lang": "en", "value": "The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:26.381Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2499", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:09:26.381Z", "dateReserved": "2026-02-13T21:45:14.383Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-26T01:24:15.718Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}, {"lang": "es", "value": "El plugin Custom Logo para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de la configuraci\u00f3n de administrador en todas las versiones hasta la 2.2, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con permisos de nivel de administrador y superiores, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. Esto solo afecta a las instalaciones multisitio y a las instalaciones donde se ha deshabilitado unfiltered_html."}], "id": "CVE-2026-2499", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-26T02:16:25.233", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/custom-logo/tags/2.2/custom-logo.php#L18"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/custom-logo/trunk/custom-logo.php#L18"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92705581-9a0d-4d23-9118-fec9100e4ce1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Custom Logo", "source": "cna", "vendor": "tgrk"}, "product": "custom_logo", "vendor": "tgrk"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:02:54.932633+00:00", "value": {"mitigation_remediation": ["Upgrade the Custom Logo plugin to version 2.3 or later where the vulnerability is removed.", "If an update is not immediately possible, temporarily deactivate or uninstall the Custom Logo plugin until a patched release is available.", "After remediation, verify that the unfiltered_html option remains disabled on multisite installations and limit administrator accounts to the minimum required for operations."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "WordPress installations running the Custom Logo plugin up to version 2.2, namely multisite deployments that have unfiltered_html disabled. The issue impacts the vendor tgrk\u2019s Custom Logo plugin when these contextual conditions are met.", "description_and_impact": "The Custom Logo plugin for WordPress is vulnerable to stored cross\u2011site scripting due to insufficient input sanitization and output escaping in the Logo Path setting. Administrators can embed arbitrary scripts that persist in the plugin configuration and are executed whenever a page using the logo is rendered, allowing a malicious user to hijack sessions, deface content, or run client\u2011side attacks on any visitor.", "risk_and_exploitability": "With a CVSS base score of 4.4 the flaw is classified as moderate severity. The EPSS indicates an exploitation probability of less than 1%, and it is not listed in the CISA KEV catalog. Exploitation requires an authenticated attacker with administrator privileges on a multisite WordPress site that has unfiltered_html turned off; once logged in, the attacker can inject JavaScript that will execute for all users viewing any affected page."}}}}, "created": "2026-02-26T13:10:00.704232+00:00", "updated": "2026-04-15T18:15:10.813434+00:00", "vendors": ["tgrk", "tgrk$PRODUCT$custom_logo", "wordpress", "wordpress$PRODUCT$wordpress"]}