Description
Cross-Site Request Forgery (CSRF) vulnerability in James Andrews Full Circle full-circle allows Stored XSS.This issue affects Full Circle: from n/a through <= 0.5.7.8.
Published: 2025-01-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery that permits a malicious payload to be stored through the Full Circle plugin. An attacker who can submit a crafted request will have that payload saved by the plugin, and future visitors to the site will receive the stored code as part of the page, creating a stored cross‑site scripting (XSS) condition. The description indicates only stored XSS; no other impact claims should be made.

Affected Systems

Affected systems are any WordPress installation that includes the Full Circle plugin by James Andrews. All versions of the plugin from the earliest release up to and including 0.5.7.8 are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 signals high severity. The EPSS score below 1 % indicates only a very low probability of exploitation at present, and the vulnerability is not in the CISA KEV catalog. Because the flaw is a CSRF, the likely attack path requires the attacker to be able to act as a privileged user or trick an authenticated user into submitting a malicious request; these prerequisites are inferred from the CSRF nature of the flaw.

Generated by OpenCVE AI on May 2, 2026 at 05:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Full Circle plugin to a version newer than 0.5.7.8.
  • If the update cannot be applied immediately, disable or uninstall the Full Circle plugin to prevent new payloads from being stored.
  • Restrict the use of the plugin to trusted administrators and enforce role restrictions to limit the potential scope of the flaw.

Generated by OpenCVE AI on May 2, 2026 at 05:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3580 Cross-Site Request Forgery (CSRF) vulnerability in James Andrews Full Circle allows Stored XSS. This issue affects Full Circle: from n/a through 0.5.7.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in James Andrews Full Circle allows Stored XSS. This issue affects Full Circle: from n/a through 0.5.7.8. Cross-Site Request Forgery (CSRF) vulnerability in James Andrews Full Circle full-circle allows Stored XSS.This issue affects Full Circle: from n/a through <= 0.5.7.8.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00019}

 epss

{'score': 0.00023}

Fri, 31 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 31 Jan 2025 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in James Andrews Full Circle allows Stored XSS. This issue affects Full Circle: from n/a through 0.5.7.8.
Title WordPress Full Circle plugin <= 0.5.7.8 - CSRF to Stored Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:25:20.584Z

Reserved: 2025-01-16T11:33:14.050Z

Link: CVE-2025-23980

cve-icon Vulnrichment

Updated: 2025-01-31T19:28:40.393Z

cve-icon NVD

Status : Deferred

Published: 2025-01-31T09:15:08.973

Modified: 2026-06-17T08:57:49.927

Link: CVE-2025-23980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:15:16Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)