CVE-2026-3618

Name of the Vulnerable Software and Affected Versions The Columns by BestWebSoft plugin for WordPress versions up to and including 1.0.3

Description The Columns by BestWebSoft plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'id' shortcode attribute of the [print clmns] shortcode. This is due to insufficient input sanitization and output escaping on the 'id' attribute. The shortcode receives the 'id' parameter via shortcode atts() at line 596 and directly embeds it into HTML output at line 731 and into inline CSS at lines 672-729 without any escaping or sanitization. The vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages, which will execute when a user accesses the injected page. The attack requires at least one column to exist in the plugin.

Recommendations Versions up to and including 1.0.3 should be updated to a newer, fixed version when available. As a temporary workaround, avoid using the 'id' attribute in the [print clmns] shortcode.