CVE-2026-6395

EUVD-2026-31041

20.05.2026, 02:16

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a <textarea> element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L18

https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L20

https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L31

https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L18

https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L20

https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L31

https://www.wordfence.com/threat-intel/vulnerabilities/id/e4c7ca5c-38aa-4413-83eb-29185cca2a74?source=cve