CVE-2026-6395

MEDIUM WAF: Low

CVSS 6.1 Published: 2026-05-20

CWE-352

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited.</p> </div> <div class="space-y-6"> <div> <h2 class="text-xl font-semibold mb-3">WAF Coverage Analysis</h2> <div class="space-y-3"> <div class="rounded-lg border border-border bg-card p-4"> <div class="flex items-center justify-between mb-2"> <span class="font-medium">Cross-Site Request Forgery (CSRF)</span> <span class="inline-flex items-center rounded-full px-2.5 py-0.5 text-xs font-semibold bg-red-500/10 text-red-500">Low WAF Coverage</span> </div> <p class="text-sm text-muted-foreground mb-2">OWASP: A01:2021 Broken Access Control</p> <div class="flex flex-wrap gap-1"></div> </div></div> </div> <div><h2 class='text-xl font-semibold mb-3'>References</h2><ul class='divide-y divide-border'><li class="py-2 border-b border-border last:border-0"><a href="https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L18" class="text-primary hover:underline text-sm" rel="noopener noreferrer" target="_blank">plugins.trac.wordpress.org</a></li><li class="py-2 border-b border-border last:border-0"><a href="https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L20" class="text-primary hover:underline text-sm" rel="noopener noreferrer" target="_blank">plugins.trac.wordpress.org</a></li><li class="py-2 border-b border-border last:border-0"><a href="https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L31" class="text-primary hover:underline text-sm" rel="noopener noreferrer" target="_blank">plugins.trac.wordpress.org</a></li><li class="py-2 border-b border-border last:border-0"><a href="https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L18" class="text-primary hover:underline text-sm" rel="noopener noreferrer" target="_blank">plugins.trac.wordpress.org</a></li><li class="py-2 border-b border-border last:border-0"><a href="https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L20" class="text-primary hover:underline text-sm" rel="noopener noreferrer" target="_blank">plugins.trac.wordpress.org</a></li><li class="py-2 border-b border-border last:border-0"><a href="https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L31" class="text-primary hover:underline text-sm" rel="noopener noreferrer" target="_blank">plugins.trac.wordpress.org</a></li><li class="py-2 border-b border-border last:border-0"><a href="https://www.wordfence.com/threat-intel/vulnerabilities/id/e4c7ca5c-38aa-4413-83eb-29185cca2a74?source=cve" class="text-primary hover:underline text-sm" rel="noopener noreferrer" target="_blank">www.wordfence.com</a></li></ul></div> </div> <div class="mt-8 pt-4 border-t border-border text-sm text-muted-foreground"> <a href="/cve/" class="text-primary hover:underline">Back to CVE Database</a> </div> </main> </body> </html>