MEDIUM
winking
CVE published 2026-05-20
CVE-2026-6395
The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.9.2. The vulnerability stems from three missing security controls in the w2c_admin() function: no nonce verification on the settings save handler, no input sanitization before storage, and no output escaping when rendering stored values. The [truncated]