Stored Cross-Site Scripting in WordPress Plugin by Shariff
CVE-2026-9677

Currently unrated

Key Information:

Vendor: WordPress
Status: Shariff For WordPress
Vendor: CVE Published:; 27 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-9677?

The Shariff for WordPress plugin, up to version 1.0.11, contains a vulnerability that allows high-privilege users, such as administrators, to inject malicious scripts through unsanitized input. When the shariff_infourl setting is outputted in the frontend HTML via the generateshariff() function, it does not undergo proper sanitization or escaping. This flaw can lead to Stored Cross-Site Scripting (XSS) attacks, even in configurations where the unfiltered_html capability is restricted, such as in multisite installations.

Affected Version(s)

Shariff for WordPress 0 <= 1.0.11

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-9677 - Proof of Concept

References

https://wpscan.com/vulnerability/c40298d0-42c2-406c-817a-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 27, 2026
👾
Exploit known to exist
Jun 27, 2026
Vulnerability published
Jun 27, 2026
Vulnerability Reserved
May 27, 2026

Credit

Mustafa Ahmed

WPScan

CVE-2026-9677 Data

JSON