cleantalk
Vulnerabilities and Security Researches

Shariff Wrapper, CVE-2026-4334

CVE, Research URL

CVE-2026-4334

Home page URL

Security reports for Shariff Wrapper

Application

Shariff Wrapper

Published on
May 28, 2026
Research Description
The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headline' parameter in the [shariff] shortcode in all versions up to, and including, 4.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability occurs because the plugin uses a custom wp_kses implementation with permissive allowed HTML tags, and then performs a str_replace operation that injects HTML after sanitization, allowing event handlers to be introduced through the %total placeholder in the style attribute.
Affected versions
max 4.6.21.
Status
vulnerable
Previous vulnerability researches
Sunshine Photo Cart: Free Client Galleries for Photographers (CVE-2026-39564) , Apr 14, 2026
Sunshine Photo Cart: Free Client Galleries for Photographers (CVE-2024-44038) , Sep 28, 2024
Sunshine Photo Cart: Free Client Galleries for Photographers (CVE-2026-24994) , Feb 28, 2026
Sunshine Photo Cart: Free Client Galleries for Photographers (CVE-2025-67973) , Feb 28, 2026
Sunshine Photo Cart: Free Client Galleries for Photographers (CVE-2024-43971) , Sep 01, 2024
New vulnerability
PDF Flipbook, 3D Flipbook – DearFlip (CVE-2026-49047) , May 28, 2026
Login with NEAR (CVE-2026-8994) , May 28, 2026
Livemesh SiteOrigin Widgets (CVE-2026-3896) , May 28, 2026
SMTP2GO for WordPress – Email Made Easy (CVE-2026-7621) , May 28, 2026
Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks (CVE-2026-42728) , May 28, 2026