CVE-2026-6395
Severity CVSS v4.0:
Pending analysis
Type:
CWE-352
Cross-Site Request Forgery (CSRF)
Publication date:
20/05/2026
Last modified:
20/05/2026
Description
The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited.
Impact
Base Score 3.x
6.10
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L18
- https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L20
- https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L31
- https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L18
- https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L20
- https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L31
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e4c7ca5c-38aa-4413-83eb-29185cca2a74?source=cve