CVE-2026-4334 Overview
CVE-2026-4334 is a Stored Cross-Site Scripting (XSS) vulnerability in the Shariff Wrapper plugin for WordPress. The flaw affects all versions up to and including 4.6.20. It resides in the headline parameter of the [shariff] shortcode, where insufficient input sanitization and output escaping allow script injection. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts that execute when any user visits the injected page. The weakness is classified as [CWE-79] Improper Neutralization of Input During Web Page Generation.
Critical Impact
Authenticated contributors can persist JavaScript into published pages, enabling session theft, privilege escalation against administrators, and drive-by browser attacks against site visitors.
Affected Products
- Shariff Wrapper plugin for WordPress, all versions through 4.6.20
- WordPress sites that expose the [shariff] shortcode to Contributor-level (or higher) authors
- WordPress installations rendering attacker-authored pages to authenticated administrators or visitors
Discovery Timeline
- 2026-05-28 - CVE-2026-4334 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-4334
Vulnerability Analysis
The Shariff Wrapper plugin implements a custom wp_kses filter configuration to sanitize the headline shortcode attribute. The allow-list of HTML tags is permissive, but the sanitizer alone does not produce the final markup. After sanitization, the plugin performs a str_replace operation that substitutes the %total placeholder inside a style attribute with caller-controlled content. Because the substitution happens after wp_kses, attacker-controlled bytes are inserted into the DOM without re-validation. An attacker can break out of the style attribute context and introduce event handler attributes such as onmouseover or onload. The injected script persists in post content and executes in the browser of any user who renders the affected page, including site administrators.
Root Cause
The root cause is sanitization order: wp_kses runs before HTML composition, and the subsequent str_replace reintroduces untrusted data into a sensitive attribute context. This pattern defeats the protection model wp_kses was meant to enforce, because the final rendered HTML never passes through a sanitizer.
Attack Vector
Exploitation requires an authenticated account at Contributor level or above. The attacker creates or edits a post containing a [shariff] shortcode with a crafted headline attribute that smuggles HTML through the %total placeholder. When the post is rendered, the injected event handler executes JavaScript in the visitor's browser session under the site's origin. The scope is changed (CVSS S:C), reflecting impact on browsers other than the vulnerable component.
No verified public proof-of-concept code is available. Refer to the Wordfence Vulnerability Analysis and the affected source lines in shariff.php line 1143 and shariff.php line 1144 for technical context.
Detection Methods for CVE-2026-4334
Indicators of Compromise
- Post or page content containing [shariff] shortcodes with unusual headline attribute values that include %total, onerror, onmouseover, or quoted attribute breakouts.
- Rendered pages whose source contains style attributes followed by event handlers or <script> fragments adjacent to Shariff share-button markup.
- Outbound browser requests from page visitors to attacker-controlled domains correlated with views of Contributor-authored content.
Detection Strategies
- Audit wp_posts rows for post_content matching the [shariff shortcode and inspect each headline attribute for HTML metacharacters.
- Review the WordPress audit log for posts created or edited by Contributor and Author accounts that include the Shariff shortcode.
- Use a Content Security Policy (CSP) report-only header to surface inline script execution originating from plugin-rendered pages.
Monitoring Recommendations
- Monitor for new or modified posts that contain Shariff shortcodes and route them for editorial review before publication.
- Alert on administrator session activity that follows a visit to a page authored by a Contributor, which can indicate session token theft.
- Track plugin version inventory across WordPress sites and flag any host still running Shariff Wrapper 4.6.20 or earlier.
How to Mitigate CVE-2026-4334
Immediate Actions Required
- Update the Shariff Wrapper plugin to the version published in the WordPress Shariff Change Set that supersedes 4.6.20.
- Audit existing posts and pages for malicious [shariff] shortcodes and remove or sanitize any suspicious headline values.
- Rotate administrator session cookies and reset passwords for any account that previewed or edited untrusted Contributor content.
Patch Information
The vendor addressed the issue in the commit referenced by the WordPress Shariff Change Set. The fix corrects the sanitization order so the %total substitution can no longer reintroduce HTML into the style attribute. Apply the update through the WordPress plugin manager or WP-CLI on every site running the plugin.
Workarounds
- Deactivate the Shariff Wrapper plugin until the patched version is deployed.
- Restrict Contributor and Author roles from using shortcodes by removing unfiltered_html capability assumptions and filtering the [shariff] shortcode at the theme level.
- Deploy a strict Content Security Policy that disallows inline event handlers and inline scripts on pages rendered from user-authored content.
# Update Shariff Wrapper via WP-CLI on all sites
wp plugin update shariff --all
# Verify installed version is greater than 4.6.20
wp plugin get shariff --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
