CVE-2026-6395
Cross-Site Request Forgery to Stored XSS in Word 2 Cash WordPress Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| word2cash | word_2_cash | to 0.9.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Word 2 Cash plugin for WordPress versions up to 0.9.2, where the w2c-definitions POST parameter is saved without sanitization and later rendered without escaping, allowing stored XSS via CSRF.
To detect this vulnerability on your system, you should check if the Word 2 Cash plugin is installed and its version is 0.9.2 or earlier.
You can also monitor HTTP POST requests to the WordPress admin settings page related to the Word 2 Cash plugin, specifically looking for the presence of the w2c-definitions parameter.
Commands to help detect the vulnerability might include:
- Using WP-CLI to check the plugin version: wp plugin list --status=active
- Searching the WordPress database for suspicious or unescaped JavaScript payloads stored in options related to w2c-definitions, e.g., via SQL queries.
- Monitoring HTTP traffic for POST requests containing the w2c-definitions parameter without nonce verification.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Update the Word 2 Cash plugin to a version later than 0.9.2 where this vulnerability is fixed.
- If an update is not immediately available, disable or deactivate the Word 2 Cash plugin to prevent exploitation.
- Restrict access to the WordPress admin panel to trusted users only.
- Implement web application firewall (WAF) rules to block unauthorized POST requests targeting the w2c-admin settings handler.
- Regularly audit stored options for injected JavaScript payloads and remove any suspicious entries.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript code within the WordPress admin panel.
Since the attack can be performed by forging requests on behalf of an administrator, it can lead to unauthorized actions, data theft, or manipulation of the WordPress site settings.
The stored malicious scripts execute whenever the settings page is visited, potentially compromising the security and integrity of the WordPress administration environment.
Can you explain this vulnerability to me?
The Word 2 Cash plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) that leads to Stored Cross-Site Scripting (XSS) in versions up to and including 0.9.2.
This happens because the plugin does not verify nonces on the settings save handler in the w2c_admin() function, and it also fails to sanitize input before storing it or escape output when displaying it.
Specifically, the w2c-definitions POST parameter is saved directly without any filtering and later displayed inside a textarea element without escaping, allowing attackers to inject arbitrary JavaScript.
An unauthenticated attacker can exploit this by forging a request on behalf of a logged-in administrator, causing malicious scripts to be stored and executed in the WordPress admin panel when the settings page is viewed.