PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6395 winking CVE debrief

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.9.2. The vulnerability stems from three missing security controls in the w2c_admin() function: no nonce verification on the settings save handler, no input sanitization before storage, and no output escaping when rendering stored values. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a <textarea> element. This allows unauthenticated attackers to forge requests on behalf of logged-in administrators, storing arbitrary JavaScript payloads that execute in the WordPress admin panel when the settings page is visited. The CVSS 3.1 score of 6.1 (MEDIUM) reflects network attack vector, low attack complexity, no privileges required, user interaction required, and changed scope with low impacts to confidentiality and integrity. The vulnerability was published on 2026-05-20 and last modified the same day. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
winking
Product
Word 2 Cash
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

WordPress site administrators using the Word 2 Cash plugin, security teams managing WordPress installations, and web application security professionals responsible for plugin security assessments

Technical summary

The vulnerability exists in the w2c_admin() function of the Word 2 Cash WordPress plugin. The function handles settings form submission without verifying a WordPress nonce, allowing CSRF attacks. The w2c-definitions POST parameter is passed directly to update_option() without sanitization, and the stored value is echoed into a <textarea> without escaping via htmlspecialchars() or equivalent. This creates a stored XSS vector where JavaScript payloads persist and execute in the admin context. The attack requires social engineering an administrator to visit a malicious page while authenticated, which then submits the forged request to the plugin's settings handler.

Defensive priority

medium

Recommended defensive actions

  • Update Word 2 Cash plugin to a version newer than 0.9.2 if available, or remove the plugin if no patch is released
  • Implement Web Application Firewall (WAF) rules to block requests to the plugin's settings endpoint that lack proper nonce parameters
  • Apply principle of least privilege by restricting administrator access to trusted IP ranges where feasible
  • Monitor WordPress admin panel access logs for suspicious requests to word-2-cash settings pages
  • Review and sanitize any existing w2c-definitions option values in the WordPress database for malicious JavaScript payloads
  • Consider implementing additional CSRF protection at the web server or reverse proxy level for WordPress administrative endpoints

Evidence notes

Vulnerability confirmed through WordPress plugin repository source code analysis at tags/0.9.2 and trunk versions. The w2c_admin() function at lines 18, 20, and 31 in word2cash.php demonstrates the missing nonce verification, raw POST parameter handling, and unescaped output respectively. Wordfence security advisory provides additional technical context.

Official resources

2026-05-20