Shariff Wrapper < 4.6.10 - Admin+ Stored XSS

Vulnerability

The Shariff Wrapper WordPress plugin before version 4.6.10 lacks proper sanitization and escaping of some of its settings. This vulnerability exists in the plugin's administrative interface, where high privilege users (admin) can insert malicious scripts through unsanitized input fields. The vulnerable code path is reachable by any logged-in admin user navigating to the plugin settings page. The issue affects all versions prior to 4.6.10 [1].

Exploitation

An attacker must have administrator-level access to the WordPress site to exploit this vulnerability. In a standard setup, this would be a user with the manage_options capability. The attacker can inject arbitrary JavaScript or HTML into the unsanitized settings fields. Once saved, the payload is stored and will execute whenever the settings page is viewed by other admin users. The attack does not require the unfiltered_html capability, making it exploitable even in WordPress multisite installations where super admins may restrict this capability to lower-level admins [1].

Impact

Successful exploitation results in Stored Cross-Site Scripting (XSS) within the admin context. The attacker gains the ability to execute arbitrary JavaScript in the browsers of any other administrator accessing the affected settings page. This can lead to session hijacking, privilege escalation (e.g., creating new admin users), or exfiltration of sensitive data. The attack operates at the highest privilege level of the WordPress backend, posing a significant security risk [1].

Mitigation

The vulnerability has been fixed in version 4.6.10 of the Shariff Wrapper plugin. Users should update to this version or later immediately. No workarounds are documented in the available references. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].