CVE-2026-9677
Received Received - Intake
Stored XSS in Shariff for WordPress Plugin

Publication date: 2026-06-27

Last updated on: 2026-06-27

Assigner: WPScan

Description
The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-27
Last Modified
2026-06-27
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-9677
EUVD
EUVD-2026-39947
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp-media shariff_for_wordpress to 1.0.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Shariff for WordPress plugin, up to version 1.0.11, contains a stored Cross-Site Scripting (XSS) vulnerability. This occurs because the plugin does not properly sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function.

As a result, high-privilege users such as administrators can inject malicious JavaScript code into this setting. This can happen even if the unfiltered_html capability is disallowed, for example in multisite WordPress setups.

When the malicious payload is saved and a user visits a page where the plugin outputs this setting, the injected script executes, potentially compromising the site.

Impact Analysis

This vulnerability allows an attacker with admin-level access to inject and execute arbitrary JavaScript code on the frontend of the WordPress site.

The impact includes the potential for session hijacking, defacement, redirection to malicious sites, theft of sensitive information, or further exploitation of the site through the injected scripts.

Even in environments where unfiltered HTML is restricted, this vulnerability bypasses those restrictions, increasing the risk of exploitation in multisite setups.

Detection Guidance

This vulnerability can be detected by checking if the Shariff for WordPress plugin version is up to and including 1.0.11 and by inspecting the shariff_infourl setting for malicious script injections.

One way to detect exploitation is to look for suspicious JavaScript payloads in the shariff_infourl parameter, such as payloads containing HTML tags with event handlers (e.g., onerror).

You can use commands to search the WordPress database or plugin settings for suspicious shariff_infourl values. For example, using WP-CLI to query the option or meta values related to shariff_infourl:

  • wp option get shariff_infourl
  • wp db query "SELECT * FROM wp_options WHERE option_name LIKE '%shariff_infourl%' AND option_value LIKE '%<img%onerror=%'"

Additionally, monitoring HTTP responses for unescaped shariff_infourl values containing script tags or event handlers in the frontend HTML can help detect active exploitation.

Mitigation Strategies

To mitigate this vulnerability immediately, update the Shariff for WordPress plugin to a version later than 1.0.11 where the issue is fixed.

If an update is not immediately possible, restrict high privilege user access to the plugin settings to prevent malicious input into the shariff_infourl parameter.

Review and sanitize the shariff_infourl setting in your current installation to remove any injected scripts or suspicious content.

Consider implementing additional security measures such as a Web Application Firewall (WAF) to block malicious payloads targeting this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9677. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart