CVE-2026-3619 in Sheets2Table Plugin
Summary
by MITRE • 03/21/2026
The Sheets2Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titles' shortcode attribute in the [sheets2table-render-table] shortcode in all versions up to and including 0.4.1. This is due to insufficient input sanitization and output escaping. Specifically, the 'titles' attribute value from the shortcode is passed through S2T_Functions::trim_array_values() (which only trims whitespace) and then echoed directly into HTML via `echo $header` inside a tag in the display_table_header() function without any escaping such as esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-3619 affects the Sheets2Table plugin for WordPress, a widely used tool for displaying Google Sheets data within WordPress environments. This plugin enables users to embed tabular data from Google Sheets into WordPress posts and pages through shortcode functionality. The vulnerability exists in versions up to and including 0.4.1, representing a significant security risk for WordPress installations that utilize this plugin. The flaw stems from inadequate input validation and output sanitization mechanisms within the plugin's core functionality, creating a persistent cross-site scripting attack vector that can be exploited by authenticated users with relatively low privileges.
The technical implementation of this vulnerability occurs within the plugin's shortcode processing logic, specifically in the [sheets2table-render-table] shortcode handler. When the 'titles' attribute is provided in the shortcode, the plugin processes this input through the S2T_Functions::trim_array_values() method which performs only basic whitespace trimming operations without any sanitization of potentially malicious content. Following this insufficient sanitization step, the processed data is directly echoed into HTML output within the display_table_header() function using simple echo statements without proper HTML escaping mechanisms. This direct output without escaping creates an ideal environment for cross-site scripting attacks, as the plugin fails to implement fundamental security measures that would prevent malicious script execution.
The operational impact of this vulnerability is particularly concerning given the low privilege requirements for exploitation. Attackers need only Contributor-level access or higher to successfully execute this attack, which represents a significant threat to WordPress sites where multiple users have editing capabilities. Once exploited, the malicious scripts injected through the 'titles' attribute will execute in the context of any user who views pages containing the affected shortcode, potentially leading to session hijacking, credential theft, or further compromise of the WordPress installation. The stored nature of this XSS vulnerability means that the malicious code persists in the database and will execute automatically each time the affected page is loaded, making it particularly dangerous for sites with frequent user access. This vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and represents a classic case of insufficient output escaping in web applications.
The security implications extend beyond simple script execution, as this vulnerability can be leveraged as a stepping stone for more sophisticated attacks within the WordPress environment. An attacker could potentially use this XSS vector to manipulate the plugin's functionality, inject malicious content into the site's pages, or even redirect users to malicious external domains. The vulnerability also demonstrates poor adherence to security best practices as outlined in the OWASP Top Ten and other industry standards, where proper input validation and output sanitization should be implemented at every layer of application processing. Organizations should immediately update to patched versions of the plugin if available, or implement temporary mitigations such as restricting Contributor-level user permissions and monitoring for suspicious shortcode usage. Additionally, this vulnerability highlights the importance of validating and sanitizing all user-provided input before it is processed and rendered in web applications, as emphasized by the ATT&CK framework's approach to web application exploitation techniques and the need for proper input validation controls.