{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3659", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-06T19:44:31.859Z", "datePublished": "2026-04-15T08:28:13.507Z", "dateUpdated": "2026-04-15T13:19:14.183Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T08:28:13.507Z"}, "affected": [{"vendor": "bappidgreat", "product": "WP Circliful", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode attributes of the [circliful_direct] shortcode in all versions up to and including 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the circliful_shortcode() function, the 'id' attribute value is concatenated directly into an HTML id attribute (line 285) without any escaping, allowing an attacker to break out of the double-quoted attribute and inject arbitrary HTML event handlers. Similarly, the circliful_direct_shortcode() function (line 257) outputs all shortcode attributes directly into HTML data-* attributes without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP Circliful <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/030534e2-bf7d-42e4-94a1-986f629bea15?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/trunk/wp-circliful.php#L285"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/tags/1.2/wp-circliful.php#L285"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/trunk/wp-circliful.php#L257"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/tags/1.2/wp-circliful.php#L257"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/trunk/wp-circliful.php#L263"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/tags/1.2/wp-circliful.php#L263"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/trunk/wp-circliful.php#L241"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/tags/1.2/wp-circliful.php#L241"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2026-04-14T19:47:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:19:06.984838Z", "id": "CVE-2026-3659", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:19:14.183Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3659", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:19:06.984838Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:19:10.406Z"}}], "cna": {"title": "WP Circliful <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bappidgreat", "product": "WP Circliful", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-14T19:47:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/030534e2-bf7d-42e4-94a1-986f629bea15?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/trunk/wp-circliful.php#L285"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/tags/1.2/wp-circliful.php#L285"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/trunk/wp-circliful.php#L257"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/tags/1.2/wp-circliful.php#L257"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/trunk/wp-circliful.php#L263"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/tags/1.2/wp-circliful.php#L263"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/trunk/wp-circliful.php#L241"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-circliful/tags/1.2/wp-circliful.php#L241"}], "descriptions": [{"lang": "en", "value": "The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode attributes of the [circliful_direct] shortcode in all versions up to and including 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the circliful_shortcode() function, the 'id' attribute value is concatenated directly into an HTML id attribute (line 285) without any escaping, allowing an attacker to break out of the double-quoted attribute and inject arbitrary HTML event handlers. Similarly, the circliful_direct_shortcode() function (line 257) outputs all shortcode attributes directly into HTML data-* attributes without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T08:28:13.507Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3659", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:19:14.183Z", "dateReserved": "2026-03-06T19:44:31.859Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-15T08:28:13.507Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T10:52:01.948542+00:00", "value": {"mitigation_remediation": ["Upgrade WP Circliful to the latest release (\u22651.3) which removes the unsanitized shortcode handling.", "If an upgrade cannot be performed immediately, disable or uninstall the plugin on production sites to eliminate the vulnerable code.", "If the site must remain online while waiting for a fix, restrict Contributor\u2011level users from editing or publishing content that includes the [circliful] or [circliful_direct] shortcodes, or enforce a Content\u2011Security\u2011Policy that blocks inline scripts and disallows event\u2011handler attributes.", "Scan existing posts and pages for any injected HTML or JavaScript and clean or remove any discovered payloads."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have installed WP Circliful version 1.2 or earlier and that allow users with Contributor or higher roles to add or edit content with the [circliful] or [circliful_direct] shortcodes are affected. The plugin\u2019s shortcode handling is present unchanged through version 1.2.", "description_and_impact": "The WP Circliful plugin for WordPress contains a stored XSS flaw in two shortcodes. The 'id' attribute of the [circliful] shortcode and the attributes of the [circliful_direct] shortcode are concatenated directly into HTML output without sanitization or escaping. This allows an authenticated user with Contributor\u2011level or higher privileges to inject arbitrary HTML or JavaScript that will execute whenever any visitor loads a page containing the shortcode. The vulnerability is a classic input\u2011validation weakness (CWE\u201179).", "risk_and_exploitability": "The CVSS base score is 6.4, indicating moderate severity. Exploitation requires authenticated access with Contributor or higher privileges, which limits the threat to sites with multiple trusted users. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack path is straightforward: an attacker crafts a malicious shortcode, publishes or edits a page, and the payload is stored and later rendered for all visitors, enabling session hijacking, credential theft, defacement, or malware delivery."}}}}, "created": "2026-04-15T13:49:14.865099+00:00", "updated": "2026-04-15T13:49:14.865110+00:00", "vendors": []}