Description
The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Published: 2026-06-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Shariff for WordPress plugin, versions up to 1.0.11, fails to sanitize the shariff_infourl setting before rendering it in the frontend. This omission allows users with high privileges, such as administrators, to inject arbitrary script content that is stored in the database and later delivered to other visitors. An attacker can use this flaw to execute JavaScript in the browsers of any user who views a page with the affected widget, enabling session hijacking, credential theft, or malicious redirects.

Affected Systems

The affected product is the Shariff for WordPress plugin version 1.0.11 and earlier. Administrators and other privileged users who configure the widget are at risk. The vulnerability applies to installations that enable the Shariff plugin and allow administrators to modify the shariff_infourl setting through the WordPress admin interface.

Risk and Exploitability

The vulnerability is a stored XSS flaw (CWE‑79) that can be exploited by an attacker who already has administrator access to the site. Because the input is not escaped, the attacker can inject a script that will execute in the context of every visitor to pages rendering the widget. The EPSS score is not available and the issue is not listed in CISA KEV, but the potential for privilege escalation and widespread user impact still makes the risk high. The attack vector is through the admin interface where the malicious value is entered, and exploitation requires no special user interaction beyond viewing the affected page.

Generated by OpenCVE AI on June 27, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Shariff for WordPress plugin to the latest version that implements sanitization of the shariff_infourl setting.
  • If an upgrade is not yet available, manually validate and escape the shariff_infourl input before storing it, for example by applying WordPress esc_url_raw and esc_html functions.
  • Restrict or remove the shariff_infourl option for non‑administrator users, or eliminate the capability that allows editing of this option.
  • Verify that the unfiltered_html capability is disabled on all sites, particularly in multisite deployments.

Generated by OpenCVE AI on June 27, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Sat, 27 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Title Shariff for WordPress <= 1.0.11 - Admin+ Stored Cross-Site Scripting
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-27T06:00:02.352Z

Reserved: 2026-05-27T07:49:49.685Z

Link: CVE-2026-9677

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T07:30:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')