CVE-2024-1106: 
WordPress vulnerability analysis and mitigation

The Shariff Wrapper WordPress plugin before version 4.6.10 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on February 5, 2024, and was assigned CVE-2024-1106. The issue affects the plugin's settings functionality, specifically impacting high-privilege users such as administrators (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw allows high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS 3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow authenticated users with high privileges to inject malicious JavaScript code into the plugin settings. When other users access pages where Shariff buttons are displayed, the injected code could be executed in their browsers, potentially leading to unauthorized actions or data theft (WPScan).

The vulnerability has been patched in version 4.6.10 of the Shariff Wrapper plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).