Does WP Circliful have any unpatched vulnerabilities?

Yes — WP Circliful currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WP Circliful compatible with WordPress 4.7.33?

According to WordPress.org data, WP Circliful 1.2 has been tested up to WordPress 4.7.33. Check the plugin's changelog for the latest compatibility information.

How often is WP Circliful updated?

WP Circliful was last updated on Mar 2, 2017. Frequent updates are generally a positive security signal.

What is WP Circliful's security score?

WP Circliful has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Circliful Security & Risk Analysis

wordpress.org/plugins/wp-circliful

Add a colorful and customizable circliful in your page, post or in widget.

20 active installs v1.2 PHP + WP 3.0.1+ Updated Mar 2, 2017

circlifulwp-circliful

C · Use Caution

CVEs total1

Unpatched1

Last CVEApr 14, 2026

Plugin page Download

Safety Verdict

Is WP Circliful Safe to Use in 2026?

Use With Caution

Score 63/100

WP Circliful has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Apr 14, 2026Updated 9yr ago

Risk Assessment

The wp-circliful plugin v1.2 exhibits a generally good security posture based on the provided static analysis and vulnerability history. The plugin has no recorded CVEs, indicating a strong track record of security. Furthermore, the static analysis reveals no dangerous functions, raw SQL queries, file operations, or external HTTP requests, all of which are positive security indicators. The presence of nonce checks also suggests some attention to security measures.

However, there are areas for concern. The plugin has a low percentage of properly escaped output (14%), which is a significant weakness. This means that data displayed to users could potentially be vulnerable to cross-site scripting (XSS) attacks if the input is not adequately sanitized before rendering. Additionally, the absence of capability checks on the identified entry points (shortcodes) means that any user, regardless of their role or permissions, can trigger these functionalities, which could be a privacy or integrity concern depending on what the shortcodes do. The lack of taint analysis data is also a limitation, as it prevents a deeper understanding of potential data flow vulnerabilities.

In conclusion, while wp-circliful has a clean vulnerability history and avoids many common pitfalls, the significant lack of output escaping and the absence of capability checks on its shortcodes present tangible risks. Addressing these specific weaknesses would considerably strengthen its overall security.

Key Concerns

Low output escaping percentage
Shortcodes lack capability checks

Vulnerabilities

WP Circliful Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2026-3659medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Circliful <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

Apr 14, 2026Unpatched

Version History

WP Circliful Release Timeline

v1.2Current1 CVE

CVE-2026-3659

v1.11 CVE

CVE-2026-3659

Code Analysis

Analyzed Mar 16, 2026

WP Circliful Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

2 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

14% escaped14 total outputs

Attack Surface

WP Circliful Attack Surface

Entry Points2

Unprotected0

Shortcodes 2

[circliful] wp-circliful.php:27

[circliful_direct] wp-circliful.php:28

WordPress Hooks 9

actionplugins_loadedwp-circliful.php:23

actionwp_enqueue_scriptswp-circliful.php:24

actioninitwp-circliful.php:26

actionsave_postwp-circliful.php:29

actionmanage_edit-circlifuls_columnswp-circliful.php:31

filtermanage_edit-circlifuls_sortable_columnswp-circliful.php:32

filtermanage_circlifuls_posts_custom_columnwp-circliful.php:33

actioninitwp-circliful.php:35

actionwidgets_initwp-circliful.php:395

Maintenance & Trust

WP Circliful Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.33

Last updatedMar 2, 2017

PHP min version

Downloads2K

Community Trust

Rating100/100

Number of ratings1

Active installs20

Alternatives

WP Circliful Alternatives

WPB Circliful

wpb-circliful

This plugin will add a responsive Circliful. Very easy to use, just put a shortcode.

10 No CVEs

Developer Profile

WP Circliful Developer Profile

Ashok

2 plugins · 30 total installs

trust score

Avg Security Score

74/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WP Circliful

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-circliful/assets/css/jquery.circliful.css/wp-content/plugins/wp-circliful/assets/css/font-awesome.min.css

Script Paths

/wp-content/plugins/wp-circliful/assets/js/jquery.circliful.min.js/wp-content/plugins/wp-circliful/assets/js/custom.js

Version Parameters

wp-circliful/assets/js/jquery.circliful.min.js?ver=wp-circliful/assets/js/custom.js?ver=wp-circliful/assets/css/jquery.circliful.css?ver=wp-circliful/assets/css/font-awesome.min.css?ver=

HTML / DOM Fingerprints

CSS Classes

circliful

Data Attributes

data-dimensiondata-textdata-infodata-widthdata-fontsizedata-percent+7 more

Shortcode Output

<div class="circliful" id="circliful_direct_widget_id_?"></div>

FAQ