CVE-2026-4334
The Shariff Wrapper plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions up to 4.6.20. Attackers with Contributor-level access or higher can inject malicious scripts through the 'headline' parameter in the [shariff] shortcode. When other users view the affected page, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or further compromise. The vulnerability stems from the plugin's use of a permissive HTML sanitization routine followed by unsafe string replacement operations that reintroduce dangerous content after the sanitization check.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headline' parameter in the [shariff] shortcode in all versions up to, and including, 4.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability occurs because the plugin uses a custom wp_kses implementation with permissive allowed HTML tags, and then performs a str_replace operation that injects HTML after sanitization, allowing event handlers to be introduced through the %total placeholder in the style attribute.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-4334 is a Stored XSS vulnerability in the Shariff Wrapper WordPress plugin. The plugin implements custom sanitization via a modified wp_kses function that allows a broad set of HTML tags. However, after sanitization completes, the plugin performs a str_replace operation that injects HTML content—specifically through the %total placeholder in style attributes—without re-validating the result. This post-sanitization injection permits attackers to embed event handlers (such as onload, onerror) that bypass the initial sanitization layer. The vulnerability requires authenticated access at Contributor level or above, meaning the attacker must have a valid WordPress user account with publishing privileges. The injected payload persists in the database, executing for all users who subsequently access the compromised page.
Business impact
Organizations running Shariff Wrapper face risk of user session compromise, sensitive data exfiltration, and reputation damage. Because the XSS is stored and executes whenever any user views the page, the blast radius extends beyond the initial attacker to all site visitors, including administrators and customers. In a multi-author environment, a lower-privileged employee account could compromise the integrity of pages viewed by executives or customers. For WordPress sites serving as customer portals or marketing platforms, this vulnerability could undermine user trust and trigger compliance violations (e.g., PCI DSS for e-commerce sites).
Affected systems
Shariff Wrapper plugin for WordPress, all versions up to and including 4.6.20. Organizations using this plugin should verify their installed version immediately. The plugin is used primarily for adding social sharing functionality to WordPress sites. Sites that have restricted the Contributor role to trusted staff only face lower risk than those allowing self-registration or contractor access.
Exploitability
Exploitation requires valid WordPress authentication at Contributor level or above. This is a relatively low barrier in organizations with many content creators, freelancers, or contractors. The attack does not require user interaction from victims—the payload executes automatically when any user (including unauthenticated visitors in some configurations) views the compromised page. No advanced technical skills are needed; the attacker simply needs to create or edit a post/page containing a malicious [shariff] shortcode. The CVSS score of 6.4 (Medium) reflects the requirement for authentication, but the stored nature and site-wide impact warrant urgent attention.
Remediation
Update the Shariff Wrapper plugin to a version newer than 4.6.20 as soon as a patch is available from the vendor. Verify the update in the WordPress plugin repository or the vendor's advisory. In the interim, restrict the Contributor role to trusted staff only, review existing pages and posts for suspicious [shariff] shortcodes with unusual headline parameters, and consider disabling the plugin if it is not actively used. Audit user accounts with Contributor access or above to identify and remove compromised or unnecessary accounts.
Patch guidance
Monitor the WordPress plugin repository and the Shariff Wrapper vendor's website for version 4.6.21 or later. Test the update in a staging environment to confirm compatibility with your WordPress version and other active plugins before deploying to production. After updating, perform a full post/page scan to identify and remove any malicious [shariff] shortcodes that may have been injected during the vulnerability window. Enable automatic plugin updates if your hosting environment and security posture permit.
Detection guidance
Search your WordPress database for [shariff] shortcodes containing suspicious or Base64-encoded headline parameters, especially those containing event handler keywords (onload, onerror, onclick, etc.) or javascript: protocols. Enable WordPress logging and monitor for posts/pages edited by lower-privileged accounts if your threat model suggests insider risk. Use web application firewalls (WAF) to detect outbound exfiltration or suspicious DOM manipulation from your WordPress domain. Review WordPress user audit logs for any Contributor-level account activity prior to the vulnerability discovery date.
Why prioritize this
Although the CVSS score is Medium (6.4), this vulnerability warrants high prioritization due to its stored nature, potential for widespread user impact, and low exploitation barrier. Any Contributor can compromise all site visitors. Organizations with permissive user permission models or third-party content authors should treat this as urgent. The vulnerability is neither on the CISA KEV catalog nor marked for active exploitation at publication, but the straightforward injection mechanism makes weaponization trivial.
Risk score, explained
The CVSS 3.1 score of 6.4 (Medium) is assigned because: Attack Vector is Network (increasing score), Attack Complexity is Low (easy exploitation), Privileges Required is Low (Contributor access), User Interaction is None (no victim action needed), Scope is Changed (the injected script affects the broader web application and user sessions), Confidentiality is Low (potential data leakage), Integrity is Low (page content and user trust are compromised), and Availability is None (no denial of service component). The score does not fully capture the reputational and user-trust damage of a stored XSS on a high-traffic page, so security teams should consider organizational context when prioritizing.
Frequently asked questions
Do I need Contributor access to exploit this, or can unauthenticated attackers inject the payload?
Exploitation requires valid WordPress authentication at Contributor level or above. An unauthenticated attacker cannot directly inject the payload. However, if your WordPress site allows user self-registration and grants new registrants Contributor privileges by default, the effective barrier is much lower.
Will updating the plugin remove malicious shortcodes already in my database?
No. The update will patch the vulnerability but will not automatically remove existing malicious [shariff] shortcodes. You must manually audit your posts and pages or use a database query to find and remove injected shortcodes. Consider hiring a WordPress security firm if you cannot safely audit the database yourself.
Is this vulnerability currently being exploited in the wild?
As of the publication date, CVE-2026-4334 is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog and has not been widely reported in public threat intelligence. However, the simplicity of the attack makes it likely that exploitation will occur once awareness spreads, so prompt patching is essential.
Our WordPress site is behind a WAF and we restrict admin access tightly. Is this still a concern?
Yes. A WAF can help detect outbound data exfiltration but cannot prevent the injection itself if an authenticated Contributor account is compromised or malicious. Focus on patching promptly and minimizing the number of users with Contributor access. Regular security audits of user accounts and their activity are equally important.
This analysis is provided for informational purposes and represents the state of vulnerability intelligence as of the published date. Organizations should verify all technical details, affected versions, and available patches against the vendor's official advisory before taking action. Patch version numbers and availability dates are subject to vendor release schedules. This explainer does not constitute legal advice or a guarantee of security. Always test patches in a non-production environment first. If you discover evidence of exploitation, engage incident response and law enforcement as appropriate. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Browse
Related vulnerabilities
- CVE-2018-25384MEDIUM
CVE-2018-25384: Stored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUM
CVE-2019-25731: Stored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUM
CVE-2019-25737: Stored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUM
CVE-2019-25739: GigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUM
CVE-2019-25742: Stored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUM
CVE-2019-25743: WordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUM
CVE-2019-25744: WordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUM
CVE-2025-14042: Stored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1