CVE-2026-3659 Overview
The WP Circliful plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.2. The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Authenticated attackers with Contributor-level access and above can inject arbitrary web scripts that execute whenever a user accesses an injected page.
Critical Impact
Authenticated attackers with Contributor-level privileges can inject malicious JavaScript through shortcode attributes, enabling session hijacking, credential theft, and defacement of WordPress sites using the WP Circliful plugin.
Affected Products
- WP Circliful WordPress Plugin versions up to and including 1.2
- WordPress installations using vulnerable [circliful] shortcode
- WordPress installations using vulnerable [circliful_direct] shortcode
Discovery Timeline
- April 15, 2026 - CVE-2026-3659 published to NVD
- April 15, 2026 - Last updated in NVD database
Technical Details for CVE-2026-3659
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability stems from improper handling of user-controlled input within the WP Circliful plugin's shortcode processing functions. The plugin fails to implement proper input sanitization and output escaping, allowing authenticated attackers to inject malicious scripts that persist in the database and execute in victims' browsers.
The vulnerability affects two distinct shortcode handlers. In the circliful_shortcode() function, the id attribute value is concatenated directly into an HTML id attribute at line 285 without any escaping. This allows attackers to break out of the double-quoted attribute context and inject arbitrary HTML event handlers.
Similarly, the circliful_direct_shortcode() function at line 257 outputs all shortcode attributes directly into HTML data-* attributes without escaping, providing multiple injection points for malicious payloads.
Root Cause
The root cause is a lack of proper input validation and output encoding in the shortcode handler functions. WordPress provides built-in escaping functions such as esc_attr(), esc_html(), and wp_kses() that should be applied to any user-supplied data before outputting to HTML. The WP Circliful plugin directly concatenates user input into HTML attributes without utilizing these security functions, creating the XSS vulnerability.
Attack Vector
The attack can be executed remotely over the network by any authenticated user with at least Contributor-level privileges. The attacker creates or edits a post containing a malicious shortcode with crafted attribute values designed to escape the HTML attribute context and inject JavaScript. When any user (including administrators) views the page containing the malicious shortcode, the injected script executes in their browser context.
The vulnerability does not require user interaction beyond viewing the infected page, and the malicious payload persists until the content is modified. This allows for attacks such as session hijacking, phishing, keylogging, and administrative account takeover.
Detection Methods for CVE-2026-3659
Indicators of Compromise
- Review WordPress posts and pages containing [circliful] or [circliful_direct] shortcodes for suspicious attribute values containing JavaScript event handlers
- Monitor for shortcode attributes containing patterns like onmouseover, onerror, onclick, or <script> tags
- Check for encoded payloads in shortcode attributes that decode to malicious JavaScript
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS patterns in WordPress shortcode attributes
- Enable WordPress audit logging to track post/page modifications by Contributor-level users
- Scan stored content in the wp_posts table for XSS payloads embedded in shortcode syntax
- Deploy browser-based XSS detection tools that can identify DOM manipulation attacks
Monitoring Recommendations
- Monitor server logs for unusual POST requests to WordPress post editing endpoints containing XSS payloads
- Set up alerts for JavaScript errors that may indicate XSS exploitation attempts
- Review Content Security Policy (CSP) violation reports for inline script execution attempts
- Implement real-time monitoring of page content changes for unauthorized script injection
How to Mitigate CVE-2026-3659
Immediate Actions Required
- Disable or remove the WP Circliful plugin until a patched version is available
- Audit all existing posts and pages containing [circliful] or [circliful_direct] shortcodes for malicious payloads
- Restrict Contributor-level access to trusted users only
- Implement a Content Security Policy (CSP) to mitigate the impact of any successful XSS injection
Patch Information
As of the last update on April 15, 2026, no official patch has been released for this vulnerability. Users should monitor the Wordfence Vulnerability Report for updates on patch availability. Review the vulnerable code in the WP Circliful plugin source to understand the affected functions.
Workarounds
- Remove the WP Circliful plugin entirely if the circular progress bar functionality is not essential
- Implement server-side input validation using WordPress hooks to sanitize shortcode attributes before processing
- Deploy a WAF rule to block requests containing XSS patterns in shortcode syntax
- Limit post creation and editing capabilities to Administrator-level users until a patch is available
# Disable WP Circliful plugin via WP-CLI
wp plugin deactivate wp-circliful
# Search for potentially malicious shortcodes in database
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%[circliful%' AND post_content REGEXP '(onerror|onmouseover|onclick|<script)'"
# Add Content Security Policy header in .htaccess
echo "Header set Content-Security-Policy \"default-src 'self'; script-src 'self'\"" >> .htaccess
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
