MEDIUM
3uu
CVE published 2026-05-28
CVE-2026-4334
The Shariff Wrapper plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in versions up to and including 4.6.20. The flaw resides in the [shariff] shortcode's 'headline' parameter, where insufficient input sanitization and output escaping allow authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts. The vulnerability stems from a custom w [truncated]