CVE-2026-3659 describes a stored cross-site scripting vulnerability in the WP Circliful plugin for WordPress. The issue arises from insufficient input sanitization and output escaping in the circliful_shortcode() and circliful_direct_shortcode() functions. The 'id' attribute of the [circliful] shortcode is concatenated directly into an HTML id attribute without escaping, and multiple attributes of the [circliful_direct] shortcode are output directly into HTML data-* attributes without escaping. Authenticated attackers with Contributor-level permissions or higher can exploit this to inject arbitrary HTML event handlers or scripts that execute when users visit the affected pages. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and partial impact on confidentiality and integrity.

Successful exploitation allows an authenticated user with Contributor-level access or higher to inject malicious scripts into pages via shortcode attributes. These scripts execute in the context of users viewing the pages, potentially leading to session hijacking, defacement, or other client-side attacks. The vulnerability affects confidentiality and integrity but does not impact availability. There are no known exploits in the wild at this time.

No official patch or remediation is currently available as per the vendor advisory. Users should monitor the vendor's announcements for updates or patches. Until a fix is released, restrict Contributor-level access to trusted users only and consider disabling or removing the WP Circliful plugin if possible to mitigate risk. Avoid using the vulnerable shortcodes with untrusted input.