CVE-2026-3618
Received Received - Intake
Stored XSS in Columns by BestWebSoft WordPress Plugin

Publication date: 2026-04-08

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [print_clmns] shortcode in all versions up to and including 1.0.3. This is due to insufficient input sanitization and output escaping on the 'id' attribute. The shortcode receives the 'id' parameter via shortcode_atts() at line 596 and directly embeds it into HTML output at line 731 (in a div id attribute) and into inline CSS at lines 672-729 without any escaping or sanitization. While the SQL query uses %d to cast the value to an integer for database lookup, the original unsanitized string value of $id is still used in the HTML/CSS output. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attack requires that at least one column exists in the plugin (created by an admin), as the SQL query must return results for the output branch to be reached.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3618
EUVD
EUVD-2026-20106
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bestwebsoft the_columns to 1.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Columns by BestWebSoft plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'id' shortcode attribute of the [print_clmns] shortcode in all versions up to 1.0.3.

This vulnerability occurs because the plugin does not properly sanitize or escape the 'id' attribute before embedding it into HTML and inline CSS output.

Although the SQL query casts the 'id' to an integer for database lookup, the original unsanitized string is still used in the HTML and CSS output, allowing an attacker to inject arbitrary scripts.

An authenticated attacker with Contributor-level access or higher can exploit this by injecting malicious scripts that execute whenever a user views the affected page, provided that at least one column exists in the plugin.

Impact Analysis

This vulnerability can allow an attacker with Contributor-level access to inject malicious scripts into pages on your WordPress site.

These scripts will execute in the browsers of users who visit the infected pages, potentially leading to theft of user data, session hijacking, or other malicious actions.

Since the attack requires authenticated access, it could be used to escalate privileges or compromise the integrity of your website content.

Compliance Impact

The vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts that execute when users access the affected pages. This Stored Cross-Site Scripting (XSS) flaw can lead to unauthorized access to user data or session hijacking.

Such unauthorized script execution can compromise the confidentiality and integrity of personal data, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding user information against unauthorized access and ensuring secure processing.

Therefore, this vulnerability could negatively impact compliance with these standards by exposing sensitive data to attackers through cross-site scripting attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3618. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart