CVE-2024-4098 – The Shariff Wrapper WordPress plugin has a Loca... (How to Fix)

📋 TL;DR

The Shariff Wrapper WordPress plugin has a Local File Inclusion vulnerability that allows unauthenticated attackers to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and complete system compromise. All WordPress sites using vulnerable versions of the Shariff Wrapper plugin are affected.

💻 Affected Systems

Products:

WordPress Shariff Wrapper plugin

Versions: All versions up to and including 4.6.13

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Shariff Wrapper plugin enabled. No authentication required for exploitation.

📦 What is this software?

Shariff Wrapper by Datenverwurstungszentrale

View all CVEs affecting Shariff Wrapper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover via remote code execution, leading to data exfiltration, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Attackers upload malicious PHP files (disguised as images) and execute them via LFI, gaining web server privileges and potentially pivoting to other systems.

🟢

If Mitigated

With proper file upload restrictions and web application firewalls, exploitation attempts are blocked, limiting impact to failed attacks.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - attackers can upload files via other vectors (like image uploads) and then trigger LFI via the vulnerable function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.6.14 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3103137

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Go to Plugins → Installed Plugins
3. Find Shariff Wrapper plugin
4. Click 'Update Now' if available
5. If no update shows, manually download version 4.6.14+ from WordPress.org
6. Deactivate old plugin, upload new version, activate

🔧 Temporary Workarounds

Disable Shariff Wrapper Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate shariff

Web Application Firewall Rule

linux

Block requests to shariff3uu_fetch_sharecounts function

ModSecurity rule: SecRule REQUEST_URI "@contains shariff3uu_fetch_sharecounts" "id:1001,phase:1,deny"

🧯 If You Can't Patch

Disable the Shariff Wrapper plugin immediately
Implement strict file upload restrictions and disable PHP execution in upload directories

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Shariff Wrapper version. If version is 4.6.13 or lower, you are vulnerable.

Check Version:

wp plugin get shariff --field=version

Verify Fix Applied:

Verify plugin version is 4.6.14 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing 'shariff3uu_fetch_sharecounts' with file path parameters
Multiple failed file inclusion attempts
Unexpected PHP file execution in upload directories

Network Indicators:

POST/GET requests to wp-content/plugins/shariff/ with file path parameters
Traffic spikes to plugin endpoints

SIEM Query:

source="web_logs" AND (uri="*shariff3uu_fetch_sharecounts*" OR uri="*wp-content/plugins/shariff/*") AND (query="*file=*" OR query="*path=*")

📊 Metadata

CVE ID: CVE-2024-4098

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-552

Published: June 20, 2024

Last Updated: May 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4098, you might also want to check these: