CVE-2026-9677 Shariff for WordPress CVE debrief

Who should care

Administrators and users of the Shariff for WordPress plugin should be aware of this vulnerability and take necessary actions to mitigate it. This vulnerability can be exploited by high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Users with the unfiltered_html capability disallowed (for example in multisite setup) are also affected.

Technical summary

The Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function. This could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The vulnerability has a CVSS score of 4.8 and a severity of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N.

Defensive priority

High priority should be given to updating the Shariff for WordPress plugin to a version that fixes this vulnerability. Administrators should also ensure that the unfiltered_html capability is not allowed for users who should not have it.

Recommended defensive actions

• Update the Shariff for WordPress plugin to a version that fixes this vulnerability.
• Ensure that the unfiltered_html capability is not allowed for users who should not have it.
• Monitor the plugin and WordPress installation for any suspicious activity.
• Consider implementing additional security measures such as Content Security Policy (CSP) to mitigate XSS attacks.
• Review and update the plugin's configuration to prevent exploitation.

Evidence notes

The CVE-2026-9677 vulnerability was reported by Wpscan. The vulnerability is a Stored Cross-Site Scripting vulnerability in the Shariff for WordPress plugin through 1.0.11. The CVE was published on 2026-06-27T06:16:34.783Z and modified on 2026-06-29T14:16:59.450Z. The CVSS score is 4.8 and the severity is MEDIUM.

Official resources