CVE-2026-3618
Stored XSS in Columns by BestWebSoft WordPress Plugin
Publication date: 2026-04-08
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bestwebsoft | the_columns | to 1.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts that execute when users access the affected pages. This Stored Cross-Site Scripting (XSS) flaw can lead to unauthorized access to user data or session hijacking.
Such unauthorized script execution can compromise the confidentiality and integrity of personal data, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding user information against unauthorized access and ensuring secure processing.
Therefore, this vulnerability could negatively impact compliance with these standards by exposing sensitive data to attackers through cross-site scripting attacks.
Can you explain this vulnerability to me?
The Columns by BestWebSoft plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'id' shortcode attribute of the [print_clmns] shortcode in all versions up to 1.0.3.
This vulnerability occurs because the plugin does not properly sanitize or escape the 'id' attribute before embedding it into HTML and inline CSS output.
Although the SQL query casts the 'id' to an integer for database lookup, the original unsanitized string is still used in the HTML and CSS output, allowing an attacker to inject arbitrary scripts.
An authenticated attacker with Contributor-level access or higher can exploit this by injecting malicious scripts that execute whenever a user views the affected page, provided that at least one column exists in the plugin.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Contributor-level access to inject malicious scripts into pages on your WordPress site.
These scripts will execute in the browsers of users who visit the infected pages, potentially leading to theft of user data, session hijacking, or other malicious actions.
Since the attack requires authenticated access, it could be used to escalate privileges or compromise the integrity of your website content.