Description
The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headline' parameter in the [shariff] shortcode in all versions up to, and including, 4.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability occurs because the plugin uses a custom wp_kses implementation with permissive allowed HTML tags, and then performs a str_replace operation that injects HTML after sanitization, allowing event handlers to be introduced through the %total placeholder in the style attribute.
Published: 2026-05-28
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Shariff Wrapper plugin stores malicious scripts entered through the headline shortcode. Because the plugin uses a permissive custom sanitization routine followed by a str_replace that re‑injects HTML, event handlers can be added via a style attribute placeholder. A compromised page will run the attacker’s code whenever a site visitor loads the affected page, potentially leading to data theft, session hijacking, or defacement. This is a classic Stored XSS vulnerability (CWE‑79).

Affected Systems

WordPress sites running Shariff Wrapper version 4.6.20 or earlier. The flaw is tied to the 3uu:Shariff Wrapper vendor and can be exploited by any authenticated user with Contributor level or higher. The payload is injected via the headline parameter in the [shariff] shortcode.

Risk and Exploitability

The public CVSS score of 6.4 places this flaw in the medium severity range. EPSS data is not available and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating that exploitation is currently not widespread. Nonetheless, the attack requires only Contributor‑level access and the ability to edit or create a post containing the [shariff] shortcode. Once the payload is stored, the injected code executes automatically for all visitors to that post, giving the attacker a broad attack surface across the site’s user base.

Generated by OpenCVE AI on May 28, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Shariff Wrapper to the latest version, 4.6.21 or later, which removes the vulnerable headline handling.
  • If an upgrade is not immediately possible, restrict the use of the [shariff] shortcode or edit permissions for the headline field to trusted admins and remove the shortcode from existing content.
  • Audit all posts containing the [shariff] shortcode to identify and delete any malicious code, and monitor the site for signs of XSS exploitation.

Generated by OpenCVE AI on May 28, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared 3uu
3uu shariff Wrapper
Wordpress
Wordpress wordpress
Vendors & Products 3uu
3uu shariff Wrapper
Wordpress
Wordpress wordpress

Thu, 28 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headline' parameter in the [shariff] shortcode in all versions up to, and including, 4.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability occurs because the plugin uses a custom wp_kses implementation with permissive allowed HTML tags, and then performs a str_replace operation that injects HTML after sanitization, allowing event handlers to be introduced through the %total placeholder in the style attribute.
Title Shariff Wrapper <= 4.6.20 - Authenticated (Contributor+) Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

3uu Shariff Wrapper
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:31:28.554Z

Reserved: 2026-03-17T14:11:01.203Z

Link: CVE-2026-4334

cve-icon Vulnrichment

Updated: 2026-05-28T10:31:23.999Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T09:16:45.360

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-4334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T10:30:14Z

Weaknesses