CVE-2026-4334 is a stored cross-site scripting vulnerability in the 3uu Shariff Wrapper WordPress plugin. It stems from improper neutralization of input during web page generation, specifically in the 'headline' parameter of the [shariff] shortcode. Authenticated attackers with Contributor-level privileges can exploit this by injecting arbitrary web scripts due to the plugin's use of a permissive custom wp_kses sanitization combined with a str_replace operation that inserts HTML event handlers after sanitization. This results in script execution when users access the injected pages. The vulnerability has a CVSS 3.1 base score of 6.4 (medium severity), with network attack vector, low attack complexity, privileges required, no user interaction, and impacts confidentiality and integrity with no availability impact. No patch or official fix has been documented as of the published date.

Successful exploitation allows authenticated users with Contributor-level access or higher to inject persistent malicious scripts into pages via the 'headline' parameter. These scripts execute in the context of other users viewing the page, potentially leading to unauthorized actions or data disclosure limited to the confidentiality and integrity of the affected site. There is no direct impact on availability. The vulnerability requires authenticated access, reducing the attack surface compared to unauthenticated exploits.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level access to trusted users only and consider disabling or removing the Shariff Wrapper plugin if feasible. Monitor for updates from the vendor or WordPress plugin repository to apply any forthcoming patches promptly.