PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4334 3uu CVE debrief

The Shariff Wrapper plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in versions up to and including 4.6.20. The flaw resides in the [shariff] shortcode's 'headline' parameter, where insufficient input sanitization and output escaping allow authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts. The vulnerability stems from a custom wp_kses implementation with permissive allowed HTML tags, followed by a str_replace operation that injects HTML after sanitization. This enables event handlers to be introduced through the %total placeholder within style attributes, causing malicious scripts to execute when users access injected pages.

Vendor
3uu
Product
Shariff Wrapper
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

WordPress site administrators using Shariff Wrapper plugin; security teams managing content management system deployments; developers implementing custom wp_kses sanitization routines

Technical summary

The Shariff Wrapper plugin's [shariff] shortcode processes the 'headline' parameter through a custom sanitization routine that permits overly broad HTML tag sets via wp_kses. Post-sanitization, the plugin performs string replacement operations injecting HTML content containing the %total placeholder. This sequence allows attackers to smuggle JavaScript event handlers through style attributes that execute in victim browsers. The vulnerability requires authenticated access at Contributor privilege level or above to exploit, with attack complexity rated low and scope changed due to potential impact on downstream systems.

Defensive priority

medium

Recommended defensive actions

  • Update Shariff Wrapper plugin to version 4.6.21 or later
  • Review and restrict Contributor-level user permissions where possible
  • Implement Content Security Policy headers to mitigate XSS impact
  • Audit existing posts and pages for suspicious [shariff] shortcode usage
  • Consider additional output encoding for user-supplied shortcode attributes

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository source code references. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as primary weakness.

Official resources

2026-05-28