CVE-2026-3619

Name of the Vulnerable Software and Affected Versions Sheets2Table plugin for WordPress versions up to and including 0.4.1

Description The Sheets2Table plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'titles' shortcode attribute within the [sheets2table-render-table] shortcode. This occurs because of inadequate input sanitization and output escaping. The titles attribute value is processed by the S2T Functions::trim array values() function, which only removes whitespace, and then directly output into HTML using echo $header inside a <th> tag within the display table header() function without proper escaping, such as esc html(). This allows authenticated attackers with Contributor-level access or higher to inject malicious web scripts into pages, which will then execute when a user accesses the compromised page.

Recommendations Update the Sheets2Table plugin to a version beyond 0.4.1.