CVE-2026-4334
Deferred Deferred - Pending Action
Stored XSS in Shariff Wrapper WordPress Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headline' parameter in the [shariff] shortcode in all versions up to, and including, 4.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability occurs because the plugin uses a custom wp_kses implementation with permissive allowed HTML tags, and then performs a str_replace operation that injects HTML after sanitization, allowing event handlers to be introduced through the %total placeholder in the style attribute.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-16
NVD
CVE-2026-4334
EUVD
EUVD-2026-32750
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
heise_online shariff_wrapper to 4.6.20 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts that execute when users access the injected pages. This can lead to unauthorized access or manipulation of user data, potentially compromising confidentiality and integrity.

Such unauthorized script execution could result in exposure or alteration of personal or sensitive information, which may violate data protection requirements under standards like GDPR and HIPAA.

Therefore, organizations using the affected plugin versions may face compliance risks related to data security and privacy mandates if this vulnerability is exploited.

Executive Summary

The Shariff Wrapper plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'headline' parameter of the [shariff] shortcode in all versions up to and including 4.6.20.

This vulnerability exists because the plugin does not properly sanitize input or escape output. It uses a custom wp_kses implementation with permissive allowed HTML tags and then performs a string replacement that injects HTML after sanitization.

As a result, authenticated users with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page.

Impact Analysis

This vulnerability allows attackers with Contributor-level access or above to inject malicious scripts into web pages.

When other users visit these pages, the injected scripts execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or other malicious actions.

Because the attack requires authenticated access but no user interaction (UI:N), and the scope is changed (S:C), it can have a significant impact on confidentiality and integrity of data.

Mitigation Strategies

To mitigate this vulnerability, you should update the Shariff Wrapper plugin for WordPress to a version later than 4.6.20 where the issue is fixed.

Additionally, restrict Contributor-level access and above to trusted users only, as the vulnerability requires authenticated users with such privileges to exploit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4334. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart