CVE-2026-3659
Stored XSS in WP Circliful Plugin Shortcode Attributes
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_circliful | circliful | to 1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Circliful plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its shortcode attributes. Specifically, the 'id' attribute of the [circliful] shortcode and multiple attributes of the [circliful_direct] shortcode are not properly sanitized or escaped. This allows an attacker to inject malicious scripts by breaking out of HTML attributes, which then execute when a user views the affected page.
The vulnerability arises because the plugin directly inserts user-supplied shortcode attribute values into HTML id and data-* attributes without escaping, enabling script injection.
Only authenticated users with Contributor-level access or higher can exploit this vulnerability.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access to inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the infected page, potentially leading to unauthorized actions such as stealing user credentials, session hijacking, or defacing the website.
Because the attack is stored, the malicious script persists on the site and affects all visitors to the compromised pages.
The CVSS score of 6.4 indicates a medium severity impact, with low attack complexity but requiring some privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'id' shortcode attribute of the [circliful] shortcode and multiple shortcode attributes of the [circliful_direct] shortcode in the WP Circliful plugin. Detection involves identifying usage of these shortcodes with potentially malicious or unexpected attribute values.
Since the vulnerability is related to shortcode attributes being injected into HTML without proper escaping, you can detect suspicious shortcode usage by searching your WordPress content database or files for the presence of [circliful] or [circliful_direct] shortcodes with unusual or script-like attribute values.
- Search WordPress posts and pages for the shortcode usage with potentially malicious payloads, e.g., using WP-CLI: wp post list --post_type=page,post --field=ID | xargs -I % wp post get % --field=post_content | grep -i '\[circliful'
- Use grep or similar tools on exported content or backups to find suspicious shortcode attributes, e.g., grep -r '\[circliful' /path/to/wordpress/wp-content/
- Monitor HTTP requests and responses for injected scripts or unusual HTML attributes related to the plugin's shortcodes.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the immediate step is to update the WP Circliful plugin to a version that fixes the insufficient input sanitization and output escaping issues. Since all versions up to and including 1.2 are vulnerable, upgrading to a patched version (if available) is critical.
If an update is not immediately available, consider disabling or removing the WP Circliful plugin to prevent exploitation.
Additionally, restrict Contributor-level and above user permissions to trusted users only, as the vulnerability requires authenticated users with at least Contributor access to exploit.
Review and sanitize existing content for malicious shortcode injections and remove any suspicious shortcode attributes.