CVE-2026-6395

Name of the Vulnerable Software and Affected Versions Word 2 Cash versions prior to 0.9.3

Description The Word 2 Cash plugin for WordPress is subject to Cross-Site Request Forgery (CSRF) which can lead to Stored Cross-Site Scripting (XSS). This occurs because the w2c admin() function lacks nonce verification on its settings save handler, and fails to sanitize input before storage or escape output during rendering. Specifically, the w2c-definitions POST parameter is saved without sanitization via the update option() function and subsequently echoed without escaping inside a <textarea> element. This allows unauthenticated attackers to forge requests on behalf of a logged-in administrator to store arbitrary JavaScript payloads that execute in the WordPress admin panel when the settings page is accessed.

Recommendations Update to a version later than 0.9.2. As a temporary workaround, restrict access to the w2c admin() function or the plugin settings page to minimize the risk of exploitation.