CVE-2026-1098: CM CSS Columns WordPress XSS Vulnerability

CVE-2026-1098 Overview

CVE-2026-1098 is a Stored Cross-Site Scripting (XSS) vulnerability in the CM CSS Columns plugin for WordPress, affecting all versions up to and including 1.2.1. The flaw exists in the tag shortcode attribute due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers with Contributor-level access or above can inject arbitrary JavaScript into pages. The injected scripts execute in the browser of any user who visits the affected page, enabling session theft, redirection, or content manipulation. The vulnerability is tracked under CWE-79 and is documented in the Wordfence Vulnerability Report.

Critical Impact

Authenticated contributors can persist malicious JavaScript on WordPress pages, executing in the browsers of all visitors, including administrators.

Affected Products

• CM CSS Columns plugin for WordPress, all versions through 1.2.1
• WordPress sites permitting Contributor-level user registration with the plugin installed
• WordPress installations exposing the tag shortcode attribute via the plugin's Shortcoder.php

Discovery Timeline

• 2026-01-24 - CVE-2026-1098 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2026-1098

Vulnerability Analysis

The vulnerability resides in the CM CSS Columns plugin's shortcode handler, specifically in Shortcoder.php at line 109. The plugin accepts a tag attribute through its shortcode but fails to sanitize the input or escape the output when rendering HTML. An authenticated user with Contributor privileges can embed the shortcode in post content with a crafted tag value containing JavaScript payloads. When the post is rendered, the unescaped attribute is written into the page's HTML, executing the attacker's script in the visitor's browser session.

Because Contributor accounts are commonly granted on WordPress sites that accept guest authorship or open registration, the access barrier is low. The scope change reflected in the CVSS vector indicates the injected script affects components beyond the vulnerable plugin, including browser sessions of administrators viewing the malicious page.

Root Cause

The root cause is missing input sanitization and output escaping on the tag shortcode attribute. The plugin does not apply WordPress functions such as esc_attr(), esc_html(), or wp_kses() to user-supplied values before rendering them into HTML output. Source code is visible in the WordPress Plugin Source Code and the WordPress Plugin Development Code.

Attack Vector

An attacker first obtains Contributor-level access through registration, social engineering, or credential compromise. The attacker then creates or edits a post containing the plugin's shortcode with a malicious payload supplied via the tag attribute. After submission, when the post is rendered, the unsanitized attribute injects JavaScript into the DOM. Any visitor, including authenticated administrators, executes the payload in their browser context, enabling cookie theft, CSRF actions, or privilege escalation through admin-targeted attacks.

Detection Methods for CVE-2026-1098

Indicators of Compromise

• Posts or pages containing cm-css-columns shortcodes with tag attribute values containing <script>, javascript:, event handlers such as onerror=, or encoded payloads
• Unexpected outbound requests from visitor browsers to attacker-controlled domains shortly after rendering plugin shortcodes
• New or modified posts authored by Contributor-level accounts that contain shortcode attributes with HTML or JavaScript syntax

Detection Strategies

• Audit the wp_posts table for shortcode strings referencing the CM CSS Columns plugin and inspect tag attribute values for script content
• Deploy a web application firewall rule that inspects POST requests to wp-admin/post.php for shortcode payloads containing HTML tags within attributes
• Review user role assignments and identify Contributor or Author accounts with recent post creation activity

Monitoring Recommendations

• Monitor WordPress audit logs for post creation and edit events from low-privilege accounts on sites running the plugin
• Track browser-side Content Security Policy (CSP) violation reports indicating blocked inline script execution on plugin-rendered pages
• Alert on anomalous administrator session activity following visits to pages containing the affected shortcode

How to Mitigate CVE-2026-1098

Immediate Actions Required

• Deactivate the CM CSS Columns plugin until a patched version is released and verified
• Review all posts containing the plugin's shortcodes and remove any with suspicious tag attribute content
• Restrict Contributor and Author role assignments and audit existing low-privilege accounts for legitimacy

Patch Information

No patched version is identified in the available CVE data beyond 1.2.1. Site administrators should monitor the WordPress Plugin Directory and the Wordfence Vulnerability Report for updates. Apply any vendor-released update that explicitly addresses sanitization of the tag shortcode attribute in Shortcoder.php.

Workarounds

• Disable the CM CSS Columns plugin entirely if the patched version is not yet available
• Implement a strict Content Security Policy that blocks inline scripts and unauthorized script sources to reduce XSS impact
• Deploy a WordPress security plugin or WAF with rules that strip HTML and JavaScript from shortcode attributes before rendering
• Limit user registration and require manual approval for accounts granted post-authoring privileges

# Configuration example: temporarily disable the plugin via WP-CLI
wp plugin deactivate cm-css-columns

# Audit posts for suspicious shortcode usage
wp db query "SELECT ID, post_title, post_author FROM wp_posts WHERE post_content LIKE '%cm-css-columns%' AND post_content REGEXP 'tag=\"[^\"]*<';"