CVE-2026-9677 - Vulnerability Details

The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://wpscan.com/vulnerability/c40298d0-42c2-406c-817a-9bbf246bbeea/

History

Sat, 27 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79

Sat, 27 Jun 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Title		Shariff for WordPress <= 1.0.11 - Admin+ Stored Cross-Site Scripting
References		https://wpscan.com/vulnerability/c40298d0-42c2-406c-817a-9bbf246bbeea/

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2026-06-27T06:00:02.352Z

Updated: 2026-06-27T06:00:02.352Z

Reserved: 2026-05-27T07:49:49.685Z

Link: CVE-2026-9677

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-27T07:30:13Z

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object