[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$foCIz3HtQMt16qXES6ROL6Ct9jqOSIvXSZr1nLMF_Gq4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-4334","shariff-wrapper-authenticated-contributor-cross-site-scripting","Shariff Wrapper \u003C= 4.6.20 - Authenticated (Contributor+) Cross-Site Scripting","The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headline' parameter in the [shariff] shortcode in all versions up to, and including, 4.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability occurs because the plugin uses a custom wp_kses implementation with permissive allowed HTML tags, and then performs a str_replace operation that injects HTML after sanitization, allowing event handlers to be introduced through the %total placeholder in the style attribute.","shariff",null,"\u003C=4.6.20","4.6.21","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-27 19:48:38","2026-05-28 08:27:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe037d22a-3d4d-4f70-a749-6d6c552c7553?source=api-prod",1,[22,23,24,25,26],"changelog.txt","readme.txt","shariff.php","uninstall.php","updates.php","researched",false,3,"I want a horizontal line above my Shariff buttons! ... For example, enter the following code to create a horizontal line and a headline: `\u003Chr style='margin:20px 0'>\u003Cp>Please share this post:\u003C\u002Fp>`\"\n    *   This is provided as an example for the *design tab* (admin setting), but the FAQ also says \"Use the headline attribute to add or remove [the headline]...\".\n    *   So the `headline` attribute in the shortcode is expected to contain HTML.\n\n    *   **User Role:** Contributor.\n    *   **Action:** Create a post.\n    *   **Shortcode:** `[shariff headline=\"\u003Cspan style='font-family:%total'>\u003C\u002Fspan>\" total='\";breakout_here...']`\n    *   Wait, does the shortcode support `total`?\n    *   If not `total`, what is `%total` replaced with?\n    *   Could it be the `total` from the *options*? No, PR:L.\n    *   What if `%total` is replaced by the *content* of the shortcode?\n    *   `[shariff headline=\"...%total...\"]My Payload[\u002Fshariff]`\n    *   No, `[shariff]` is usually self-closing.\n    *   What about the `totalnumber` service?\n    *   If `services=\"totalnumber\"`, does the plugin use a value from somewhere?\n\n    *   Let's look at the `final","The Shariff Wrapper plugin is vulnerable to Stored Cross-Site Scripting via the 'headline' and 'headline_zero' attributes in the [shariff] shortcode. This is caused by the plugin replacing a %total placeholder with a HTML span tag without re-sanitizing the resulting string, allowing authenticated attackers with contributor-level permissions to inject arbitrary web scripts.","\u002F\u002F shariff.php lines 1222-1230 in v4.6.20\n\t\tif ( 0 === $share_counts['total'] && array_key_exists( 'headline_zero', $atts ) && ! empty( $atts['headline_zero'] ) ) {\n\t\t\t$atts['headline_zero'] = str_replace( '%total', '\u003Cspan class=\"shariff-total\">' . absint( $share_counts['total'] ) . '\u003C\u002Fspan>', $atts['headline_zero'] );\n\t\t\t$output               .= '\u003Cdiv class=\"ShariffHeadline\">' . $atts['headline_zero'] . '\u003C\u002Fdiv>';\n\t\t} else {\n\t\t\t$atts['headline'] = str_replace( '%total', '\u003Cspan class=\"shariff-total\">' . absint( $share_counts['total'] ) . '\u003C\u002Fspan>', $atts['headline'] );\n\t\t\t$output          .= '\u003Cdiv class=\"ShariffHeadline\">' . $atts['headline'] . '\u003C\u002Fdiv>';\n\t\t}\n\n---\n\n\u002F\u002F shariff.php lines 1345-1349 in v4.6.20 (CSS injection snippet)\n\t\t\t\t\tif ( array_key_exists( 'borderradius', $atts ) && array_key_exists( 'theme', $atts ) && 'round' === $atts['theme'] ) {\n\t\t\t\t\t\t$output .= ' shariff-borderradius';\n\t\t\t\t\t\t$css     = '.shariff .shariff-buttons.theme-round .shariff-borderradius{border-radius:' . $atts['borderradius'] . '%}';\n\t\t\t\t\t\tif ( false === strpos( $dynamic_css, $css ) ) {\n\t\t\t\t\t\t\t$dynamic_css .= $css;","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshariff\u002F4.6.20\u002Fshariff.php\t2026-05-02 01:48:38.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshariff\u002F4.6.21\u002Fshariff.php\t2026-05-14 22:51:40.000000000 +0000\n@@ -1222,10 +1238,10 @@\n \t\t\t$share_counts['total'] = 0;\n \t\t}\n \t\tif ( 0 === $share_counts['total'] && array_key_exists( 'headline_zero', $atts ) && ! empty( $atts['headline_zero'] ) ) {\n-\t\t\t$atts['headline_zero'] = str_replace( '%total', '\u003Cspan class=\"shariff-total\">' . absint( $share_counts['total'] ) . '\u003C\u002Fspan>', $atts['headline_zero'] );\n+\t\t\t$atts['headline_zero'] = wp_kses( str_replace( '%total', '\u003Cspan class=\"shariff-total\">' . absint( $share_counts['total'] ) . '\u003C\u002Fspan>', $atts['headline_zero'] ), $GLOBALS['allowed_tags'] );\n \t\t\t$output               .= '\u003Cdiv class=\"ShariffHeadline\">' . $atts['headline_zero'] . '\u003C\u002Fdiv>';\n \t\t} else {\n-\t\t\t$atts['headline'] = str_replace( '%total', '\u003Cspan class=\"shariff-total\">' . absint( $share_counts['total'] ) . '\u003C\u002Fspan>', $atts['headline'] );\n+\t\t\t$atts['headline'] = wp_kses( str_replace( '%total', '\u003Cspan class=\"shariff-total\">' . absint( $share_counts['total'] ) . '\u003C\u002Fspan>', $atts['headline'] ), $GLOBALS['allowed_tags'] );\n \t\t\t$output          .= '\u003Cdiv class=\"ShariffHeadline\">' . $atts['headline'] . '\u003C\u002Fdiv>';\n \t\t}\n \t}\n@@ -1343,9 +1359,9 @@\n \t\t\t\t\t\t$dynamic_css .= $css;\n \t\t\t\t\t}\n \t\t\t\t\t\u002F\u002F Border radius?\n-\t\t\t\t\tif ( array_key_exists( 'borderradius', $atts ) && array_key_exists( 'theme', $atts ) && 'round' === $atts['theme'] ) {\n+\t\t\t\t\tif ( array_key_exists( 'borderradius', $atts ) && array_key_exists( 'theme', $atts ) && 'round' === $atts['theme'] && is_numeric( $atts['borderradius'] ) ) {\n \t\t\t\t\t\t$output .= ' shariff-borderradius';\n-\t\t\t\t\t\t$css     = '.shariff .shariff-buttons.theme-round .shariff-borderradius{border-radius:' . $atts['borderradius'] . '%}';\n+\t\t\t\t\t\t$css     = '.shariff .shariff-buttons.theme-round .shariff-borderradius{border-radius:' . absint( $atts['borderradius'] ) . '%}';\n \t\t\t\t\t\tif ( false === strpos( $dynamic_css, $css ) ) {\n \t\t\t\t\t\t\t$dynamic_css .= $css;\n \t\t\t\t\t\t}","To exploit this vulnerability, an attacker with Contributor-level access or higher can create a new post or edit an existing one. They insert the [shariff] shortcode and set the 'headline' attribute to a payload that includes a legitimate HTML tag (permitted by the plugin's internal $allowed_tags list, such as \u003Cspan> or \u003Cdiv>) coupled with a malicious event handler or an attribute-breakout sequence using the %total placeholder. For example, using [shariff headline='\u003Cspan style=\"font-family:%total\" onmouseover=\"alert(1)\">Share this!\u003C\u002Fspan>'] allows the attacker to bypass the plugin's initial sanitization logic because the malicious event handler is either not processed correctly at save-time or the %total substitution at render-time creates a context where the event handler is executed in the user's browser. Additionally, the 'borderradius' attribute can be used for CSS injection by providing non-numeric values.","gemini-3-flash-preview","2026-06-04 16:34:18","2026-06-04 16:35:47",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","4.6.20","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshariff\u002Ftags\u002F4.6.20","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshariff.4.6.20.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshariff\u002Ftags\u002F4.6.21","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshariff.4.6.21.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshariff\u002Ftags"]