WP Logo Changer CVE-2025-53245
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Afzal Multani WP Logo Changer am-login-logo allows Stored XSS.This issue affects WP Logo Changer: from n/a through <= 1.2.
AnalysisAI
Stored cross-site scripting (XSS) in WP Logo Changer WordPress plugin versions 1.2 and earlier allows remote attackers to inject malicious scripts that execute in victim browsers. The vulnerability exploits improper input sanitization during web page generation, enabling attackers to inject persistent malicious code. EPSS indicates 0.05% exploitation probability (16th percentile), suggesting low opportunistic targeting risk. No active exploitation confirmed via CISA KEV at time of analysis.
Technical ContextAI
WP Logo Changer is a WordPress plugin developed by Afzal Multani that enables site administrators to customize login page logos. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning the plugin fails to properly sanitize user-supplied input before rendering it in HTML output. Unlike reflected XSS, this stored variant persists the malicious payload in the WordPress database, causing it to execute whenever affected pages load. The CVSS vector indicates network-based exploitation (AV:N) with low attack complexity (AC:L) but requires user interaction (UI:R), typical of stored XSS where victims must view the injected content. The changed scope (S:C) suggests the vulnerability can affect resources beyond the plugin's security boundary, potentially compromising WordPress session cookies or site integrity.
Affected ProductsAI
WordPress plugin WP Logo Changer by Afzal Multani, all versions from initial release through version 1.2 inclusive. The vulnerability affects the am-login-logo plugin slug as referenced in the Patchstack database entry. Specific version ranges indicate widespread impact across the plugin's version history, suggesting the input validation flaw existed since early development. Sites running any version up to and including 1.2 require remediation. No CPE identifier was provided in the vulnerability data, limiting automated vulnerability scanning integration.
RemediationAI
Upgrade WP Logo Changer to a patched version newer than 1.2 as detailed in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/am-login-logo/vulnerability/wordpress-wp-logo-changer-plugin-1-2-cross-site-scripting-xss-vulnerability. If no patched version is available in the WordPress plugin repository, immediately deactivate and remove the plugin until a fix is released. As a temporary compensating control, restrict WordPress administrative and editor roles to only trusted users, implement Content Security Policy headers to limit inline script execution (note this may break legitimate plugin functionality), and audit existing login page customizations for injected scripts by inspecting the plugin's database entries and file modifications. Monitor WordPress admin activity logs for unexpected changes to logo settings. Consider alternative logo customization plugins with active security maintenance until WP Logo Changer receives updates.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today