Stored Cross-Site Scripting Vulnerability in Columns by BestWebSoft Plugin for WordPress
CVE-2026-3618

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Columns By Bestwebsoft – Additional Columns Plugin For Posts Pages And Widgets
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-3618?

The Columns by BestWebSoft plugin for WordPress is susceptible to a Stored Cross-Site Scripting attack through the 'id' shortcode attribute in the [print_clmns] shortcode. This vulnerability arises from inadequate input sanitization and output escaping, allowing authenticated users with Contributor-level access and higher to inject malicious scripts into the output. The plugin directly processes the 'id' parameter, embedding it into HTML and inline CSS without proper sanitization, which can lead to execution of harmful scripts by users browsing the affected pages. The exploitable code resides in multiple lines of the shortcode's implementation, and the attack necessitates that at least one column be created by an admin.

Affected Version(s)

Columns by BestWebSoft – Additional Columns Plugin for Posts Pages and Widgets 0 <= 1.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/columns-bws/tr...

https://plugins.trac.wordpress.org/browser/columns-bws/ta...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 5, 2026

Credit

Muhammad Yudha - DJ

CVE-2026-3618 Data

JSON