CVE-2026-4334
Description
The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headline' parameter in the [shariff] shortcode in all versions up to, and including, 4.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability occurs because the plugin uses a custom wp_kses implementation with permissive allowed HTML tags, and then performs a str_replace operation that injects HTML after sanitization, allowing event handlers to be introduced through the %total placeholder in the style attribute.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Shariff Wrapper plugin (≤4.6.20) has a stored XSS via the `[shariff]` shortcode `headline` parameter due to a permissive custom `wp_kses` and a later `str_replace` that unsafely injects HTML.
Vulnerability
The Shariff Wrapper plugin for WordPress versions up to and including 4.6.20 contains a Stored Cross-Site Scripting (XSS) vulnerability in the [shariff] shortcode's headline parameter [1][2][4]. The plugin uses a custom wp_kses implementation that allows a permissive set of HTML tags and then performs a str_replace operation on the sanitized output to replace the %total placeholder with dynamic content. Because this replacement occurs after the wp_kses sanitization, an attacker can inject arbitrary HTML event handlers inside the style attribute, effectively bypassing the sanitization. The vulnerability is accessible to authenticated users with Contributor-level access or higher, as they can create or edit posts containing the shortcode.
Exploitation
An attacker with Contributor-level permissions inserts the [shariff] shortcode into a post or page and sets the headline parameter to a crafted value that includes an event handler, for example onmouseover, within the %total placeholder. The str_replace later injects this HTML into the shortcode output, which is then stored and executed when any user visits the affected page. The attacker only needs to be able to create or edit posts using the shortcode, which is a standard capability for Contributor-level and above users in WordPress.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any user who views the compromised page. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited to the stored XSS execution scope, but since the injected script runs in the victim's browser, it can access cookies, local storage, and perform actions on behalf of the victim.
Mitigation
As of the publication date (2026-05-28), no fixed version has been released. Users should disable the [shariff] shortcode or restrict its use to trusted user roles as a temporary workaround. Administrators can also apply a content security policy (CSP) that blocks inline event handlers. The vendor is expected to release a patched version that properly escapes or sanitizes the headline parameter after the str_replace step. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=4.6.20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient input sanitization and output escaping on the 'headline' parameter in the [shariff] shortcode, combined with a post-sanitization str_replace operation that re-introduces HTML event handlers via the %total placeholder in the style attribute."
Attack vector
An authenticated attacker with at least Contributor-level access can inject arbitrary web scripts by supplying a crafted 'headline' attribute in the [shariff] shortcode. The plugin applies wp_kses with a permissive set of allowed HTML tags, then performs a str_replace operation that injects HTML after sanitization, allowing event handlers (e.g., onmouseover, onclick) to be introduced through the %total placeholder in the style attribute [ref_id=1]. When any user views the affected page, the injected script executes in their browser session.
Affected code
The vulnerability resides in the `shariff3uu_render()` function in `shariff.php` around line 1144 [ref_id=1]. The 'headline' parameter is sanitized via `wp_kses()` with a permissive `$GLOBALS['allowed_tags']` set, and then a `str_replace` operation injects HTML after sanitization, allowing event handlers to be introduced through the `%total` placeholder in the style attribute.
What the fix does
The advisory does not include a patch diff, but the remediation guidance is to properly escape the headline output using WordPress's esc_html() or similar context-aware escaping functions, and to avoid post-sanitization str_replace operations that can re-introduce dangerous HTML. The plugin should also restrict the allowed HTML tags in the wp_kses call to prevent event handler attributes from passing through sanitization [ref_id=1]. No official patch has been published in the provided bundle.
Preconditions
- authAttacker must be authenticated with at least Contributor-level access to the WordPress site.
- inputAttacker must be able to insert or edit a post/page containing the [shariff] shortcode with a crafted 'headline' attribute.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- plugins.trac.wordpress.org/browser/shariff/trunk/shariff.phpnvd
- plugins.trac.wordpress.org/browser/shariff/trunk/shariff.phpnvd
- plugins.trac.wordpress.org/browser/shariff/trunk/shariff.phpnvd
- plugins.trac.wordpress.org/browser/shariff/trunk/shariff.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/e037d22a-3d4d-4f70-a749-6d6c552c7553nvd
News mentions
0No linked articles in our index yet.