CVE-2026-3619 is a stored cross-site scripting vulnerability identified in the Sheets2Table plugin for WordPress, affecting all versions up to and including 0.4.1. The vulnerability is due to improper neutralization of input during web page generation, specifically within the 'titles' attribute of the [sheets2table-render-table] shortcode. The plugin processes the 'titles' attribute by passing it through a function that only trims whitespace (S2T_Functions::trim_array_values()) but does not perform any HTML escaping or sanitization. Subsequently, the attribute value is directly echoed inside a <th> HTML tag in the display_table_header() function without using escaping functions such as esc_html(). This flaw allows an authenticated attacker with Contributor-level privileges or higher to inject arbitrary JavaScript code that is stored persistently and executed in the browsers of users who visit the compromised page. The vulnerability does not require user interaction beyond page viewing and can lead to partial compromise of confidentiality and integrity, such as session hijacking or content manipulation. The CVSS 3.1 base score is 6.4, indicating medium severity, with a network attack vector, low attack complexity, privileges required, no user interaction, and scope changed due to affecting other components. No known exploits have been reported in the wild as of the publication date. The root cause is insufficient input validation and lack of output escaping in the plugin's codebase, which violates secure coding practices for web applications.

The impact of CVE-2026-3619 is significant for organizations using the Sheets2Table WordPress plugin, especially those allowing Contributor-level users to create or edit content. Successful exploitation enables attackers to inject persistent malicious scripts that execute in the context of any user viewing the affected page, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, or defacement of website content. This compromises the confidentiality and integrity of user data and the website itself. While availability is not directly impacted, the reputational damage and potential data breaches can have serious consequences. Since WordPress powers a large portion of websites globally, and plugins like Sheets2Table are used in various sectors including education, small businesses, and content management, the threat surface is broad. Attackers could leverage this vulnerability to establish footholds, escalate privileges, or conduct phishing campaigns by injecting malicious scripts. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but the low privilege level needed increases risk. Organizations failing to address this vulnerability may face regulatory compliance issues and loss of user trust.

To mitigate CVE-2026-3619, organizations should immediately update the Sheets2Table plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should implement manual code fixes by ensuring all user-supplied input, especially the 'titles' shortcode attribute, is properly sanitized and escaped before output. Specifically, apply WordPress's esc_html() or equivalent escaping functions when rendering data inside HTML elements to prevent script injection. Restrict Contributor-level user permissions where possible and monitor for suspicious shortcode usage or content changes. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting shortcode parameters. Conduct regular security audits and scanning for XSS vulnerabilities in plugins and themes. Educate content creators about the risks of injecting untrusted content. Additionally, implement Content Security Policy (CSP) headers to limit the impact of any injected scripts. Maintain robust logging and alerting to detect exploitation attempts promptly. Finally, consider isolating or disabling the Sheets2Table plugin if it is not essential to reduce attack surface until a secure version is deployed.