CVE-2026-6395: Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page
The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a <textarea> element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-6395?
CVE-2026-6395 is classified as a high severity vulnerability due to its potential for Cross-Site Request Forgery leading to Stored Cross-Site Scripting.
How do I fix CVE-2026-6395?
To fix CVE-2026-6395, update the Word 2 Cash plugin to version 0.9.3 or later where the vulnerability is addressed.
Who is affected by CVE-2026-6395?
CVE-2026-6395 impacts users of the Word 2 Cash plugin for WordPress in versions up to and including 0.9.2.
What types of attacks does CVE-2026-6395 facilitate?
CVE-2026-6395 facilitates Cross-Site Request Forgery attacks that can result in Stored Cross-Site Scripting on affected sites.
Is CVE-2026-6395 already exploited in the wild?
As of the latest information, there are no confirmed reports of CVE-2026-6395 being actively exploited in the wild.