Description
The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode attributes of the [circliful_direct] shortcode in all versions up to and including 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the circliful_shortcode() function, the 'id' attribute value is concatenated directly into an HTML id attribute (line 285) without any escaping, allowing an attacker to break out of the double-quoted attribute and inject arbitrary HTML event handlers. Similarly, the circliful_direct_shortcode() function (line 257) outputs all shortcode attributes directly into HTML data-* attributes without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-15
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The WP Circliful plugin for WordPress contains a stored XSS flaw in two shortcodes. The 'id' attribute of the [circliful] shortcode and the attributes of the [circliful_direct] shortcode are concatenated directly into HTML output without sanitization or escaping. This allows an authenticated user with Contributor‑level or higher privileges to inject arbitrary HTML or JavaScript that will execute whenever any visitor loads a page containing the shortcode. The vulnerability is a classic input‑validation weakness (CWE‑79).

Affected Systems

All WordPress sites that have installed WP Circliful version 1.2 or earlier and that allow users with Contributor or higher roles to add or edit content with the [circliful] or [circliful_direct] shortcodes are affected. The plugin’s shortcode handling is present unchanged through version 1.2.

Risk and Exploitability

The CVSS base score is 6.4, indicating moderate severity. Exploitation requires authenticated access with Contributor or higher privileges, which limits the threat to sites with multiple trusted users. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack path is straightforward: an attacker crafts a malicious shortcode, publishes or edits a page, and the payload is stored and later rendered for all visitors, enabling session hijacking, credential theft, defacement, or malware delivery.

Generated by OpenCVE AI on April 15, 2026 at 10:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Circliful to the latest release (≥1.3) which removes the unsanitized shortcode handling.
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin on production sites to eliminate the vulnerable code.
  • If the site must remain online while waiting for a fix, restrict Contributor‑level users from editing or publishing content that includes the [circliful] or [circliful_direct] shortcodes, or enforce a Content‑Security‑Policy that blocks inline scripts and disallows event‑handler attributes.
  • Scan existing posts and pages for any injected HTML or JavaScript and clean or remove any discovered payloads.

Generated by OpenCVE AI on April 15, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Bappidgreat
Bappidgreat wp Circliful
Wordpress
Wordpress wordpress
Vendors & Products Bappidgreat
Bappidgreat wp Circliful
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode attributes of the [circliful_direct] shortcode in all versions up to and including 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the circliful_shortcode() function, the 'id' attribute value is concatenated directly into an HTML id attribute (line 285) without any escaping, allowing an attacker to break out of the double-quoted attribute and inject arbitrary HTML event handlers. Similarly, the circliful_direct_shortcode() function (line 257) outputs all shortcode attributes directly into HTML data-* attributes without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP Circliful <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Bappidgreat Wp Circliful
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-15T13:19:14.183Z

Reserved: 2026-03-06T19:44:31.859Z

Link: CVE-2026-3659

cve-icon Vulnrichment

Updated: 2026-04-15T13:19:10.406Z

cve-icon NVD

Status : Received

Published: 2026-04-15T09:16:32.083

Modified: 2026-04-15T09:16:32.083

Link: CVE-2026-3659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:53:23Z

Weaknesses