CVE Catalog

CVE-2026-9677

MediumCVSS 4.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile — higher than 5% of all known CVEs

Summary

The Shariff for WordPress plugin through version 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function. This allows high-privilege users such as administrators to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in a multisite setup).

Risk Assessment

An attacker with administrator privileges can inject a malicious JavaScript script that executes in the browsers of other users visiting the site, leading to session theft, defacement, or further attack escalation.

Recommendation

Immediately update the Shariff for WordPress plugin to the latest available version that includes a security fix. If an update is not available, temporarily disable the plugin or restrict access to its settings to trusted administrators only.

Original NVD description (English source)

The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS