CVE-2026-6395
Deferred Deferred - Pending Action
Cross-Site Request Forgery to Stored XSS in Word 2 Cash WordPress Plugin

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Wordfence

Description
The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a <textarea> element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-09
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-6395
EUVD
EUVD-2026-31041
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
word2cash word_2_cash to 0.9.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves the Word 2 Cash plugin for WordPress versions up to 0.9.2, where the w2c-definitions POST parameter is saved without sanitization and later rendered without escaping, allowing stored XSS via CSRF.

To detect this vulnerability on your system, you should check if the Word 2 Cash plugin is installed and its version is 0.9.2 or earlier.

You can also monitor HTTP POST requests to the WordPress admin settings page related to the Word 2 Cash plugin, specifically looking for the presence of the w2c-definitions parameter.

Commands to help detect the vulnerability might include:

  • Using WP-CLI to check the plugin version: wp plugin list --status=active
  • Searching the WordPress database for suspicious or unescaped JavaScript payloads stored in options related to w2c-definitions, e.g., via SQL queries.
  • Monitoring HTTP traffic for POST requests containing the w2c-definitions parameter without nonce verification.
Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code within the WordPress admin panel.

Since the attack can be performed by forging requests on behalf of an administrator, it can lead to unauthorized actions, data theft, or manipulation of the WordPress site settings.

The stored malicious scripts execute whenever the settings page is visited, potentially compromising the security and integrity of the WordPress administration environment.

Executive Summary

The Word 2 Cash plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) that leads to Stored Cross-Site Scripting (XSS) in versions up to and including 0.9.2.

This happens because the plugin does not verify nonces on the settings save handler in the w2c_admin() function, and it also fails to sanitize input before storing it or escape output when displaying it.

Specifically, the w2c-definitions POST parameter is saved directly without any filtering and later displayed inside a textarea element without escaping, allowing attackers to inject arbitrary JavaScript.

An unauthenticated attacker can exploit this by forging a request on behalf of a logged-in administrator, causing malicious scripts to be stored and executed in the WordPress admin panel when the settings page is viewed.

Mitigation Strategies

Immediate mitigation steps include:

  • Update the Word 2 Cash plugin to a version later than 0.9.2 where this vulnerability is fixed.
  • If an update is not immediately available, disable or deactivate the Word 2 Cash plugin to prevent exploitation.
  • Restrict access to the WordPress admin panel to trusted users only.
  • Implement web application firewall (WAF) rules to block unauthorized POST requests targeting the w2c-admin settings handler.
  • Regularly audit stored options for injected JavaScript payloads and remove any suspicious entries.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6395. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart