CVE-2024-1450 in Shariff Wrapper Plugin
Summary
by MITRE • 03/21/2024
The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.10 due to insufficient input sanitization and output escaping on user supplied attributes such as 'align'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-29109 appears to be a duplicate of this issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/13/2026
The Shariff Wrapper plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2024-1450 that affects all versions up to and including 4.6.10. This vulnerability resides within the plugin's 'shariff' shortcode implementation where insufficient input sanitization and output escaping mechanisms fail to properly validate user-supplied attributes. The flaw specifically impacts the 'align' attribute and potentially other shortcode parameters that accept user input, creating a persistent security risk that can be exploited by authenticated attackers possessing contributor-level permissions or higher.
The technical nature of this vulnerability stems from the plugin's failure to adequately sanitize and escape user-provided data before rendering it within web pages. When an attacker with sufficient privileges creates or modifies content using the shariff shortcode with malicious attributes, the injected script code becomes permanently stored within the WordPress database. This stored payload executes whenever any user accesses pages containing the compromised shortcode, making it a classic stored XSS vulnerability that can affect multiple users over time. The vulnerability aligns with CWE-79 which describes improper neutralization of input during web page generation, and represents a significant deviation from secure coding practices that require strict input validation and output encoding.
The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to potentially escalate their privileges, steal user sessions, deface websites, or redirect users to malicious sites. Since the vulnerability requires only contributor-level permissions, it represents a particularly concerning risk for WordPress installations where multiple users with varying permission levels exist. The stored nature of the vulnerability means that the attack persists even after the initial injection, requiring administrators to actively scan and clean affected content rather than simply patching the underlying code. This characteristic places the vulnerability in the ATT&CK framework under T1546.004 for "Event Triggered Execution" where the malicious code executes in response to specific user actions.
Mitigation strategies for CVE-2024-1450 primarily focus on immediate plugin updates to version 4.6.11 or later where the vulnerability has been addressed through proper input sanitization and output escaping mechanisms. Administrators should also implement additional security measures including restricting contributor permissions where possible, conducting thorough content audits for existing malicious payloads, and monitoring user activity for suspicious shortcode usage. The fix implemented by the plugin developers should include comprehensive validation of all shortcode attributes, proper HTML escaping of user-supplied content, and adherence to WordPress coding standards that prevent XSS vulnerabilities. Organizations should also consider implementing web application firewalls and content security policies as additional defensive measures to protect against similar vulnerabilities in other plugins and themes.