Description
The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Published: 2026-06-27
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Shariff for WordPress plugin up to version 1.0.11 fails to sanitize or escape the shariff_infourl setting before rendering it in the front‑end. This flaw allows a user with administrative privileges to store a malicious value that is then embedded directly into the page output as part of the Shariff widget. The result is a stored Cross‑Site Scripting vulnerability that can execute arbitrary JavaScript in the browsers of visitors who view pages containing the widget.

Affected Systems

The affected product is the Shariff for WordPress plugin version 1.0.11 and earlier. Any installation that has the plugin enabled and allows administrators or other highly privileged users to edit the shariff_infourl setting is at risk.

Risk and Exploitability

Exploitation requires an attacker to already possess administrative or equivalent access to the WordPress site to inject the malicious setting. Once the value is stored, it will be served to all users who load a page with the Shariff widget, regardless of their own privileges. The EPSS score, below 1%, suggests a low probability of exploitation in the wild, and the CVSS score of 4.8 places the vulnerability in the moderate severity range. It is not listed in the CISA KEV catalog. The attack vector is inferred to be the WordPress admin interface where the malicious string is entered; no additional interaction by visitors is required beyond viewing the affected page.

Generated by OpenCVE AI on June 29, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Shariff for WordPress plugin to a version that sanitizes the shariff_infourl setting.
  • If an upgrade is not yet available, validate and escape the shariff_infourl input before storing it, for example by using WordPress esc_url_raw and esc_html functions.
  • Restrict or remove the ability for non‑administrator users to modify the shariff_infourl option, or eliminate the capability that grants this control.
  • Ensure the unfiltered_html capability is disabled on all sites, especially in multisite deployments.

Generated by OpenCVE AI on June 29, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Shariff For Wordpress
Shariff For Wordpress shariff For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Shariff For Wordpress
Shariff For Wordpress shariff For Wordpress
Wordpress
Wordpress wordpress

Mon, 29 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 29 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Sat, 27 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Title Shariff for WordPress <= 1.0.11 - Admin+ Stored Cross-Site Scripting
References

Subscriptions

Shariff For Wordpress Shariff For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-29T12:44:20.260Z

Reserved: 2026-05-27T07:49:49.685Z

Link: CVE-2026-9677

cve-icon Vulnrichment

Updated: 2026-06-29T12:43:55.212Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:05:56Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')