CVE-2026-6395: CWE-352 Cross-Site Request Forgery (CSRF) in winking Word 2 Cash
The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a <textarea> element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited.
AI Analysis
Technical Summary
CVE-2026-6395 affects the Word 2 Cash plugin for WordPress, allowing unauthenticated attackers to perform CSRF attacks due to missing nonce verification in the w2c_admin() function's settings save handler. The vulnerability is exacerbated by the absence of input sanitization and output escaping for the w2c-definitions POST parameter, which is saved raw via update_option() and later echoed inside a <textarea> element. This combination permits stored XSS payloads to execute in the WordPress admin interface when the settings page is accessed by an administrator.
Potential Impact
Successful exploitation allows an attacker to inject and store arbitrary JavaScript code that executes in the context of the WordPress admin panel. This can lead to session hijacking, privilege escalation, or other malicious actions performed with administrator privileges. The CVSS score is 6.1 (medium severity), reflecting the network attack vector, no privileges required, and impact on confidentiality and integrity but not availability.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or vendor advisory is available at this time. Until a patch is released, administrators should avoid visiting the plugin's settings page or disable the plugin to prevent exploitation. Monitor official vendor channels for updates and apply patches promptly once available.
CVE-2026-6395: CWE-352 Cross-Site Request Forgery (CSRF) in winking Word 2 Cash
Description
The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a <textarea> element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-6395 affects the Word 2 Cash plugin for WordPress, allowing unauthenticated attackers to perform CSRF attacks due to missing nonce verification in the w2c_admin() function's settings save handler. The vulnerability is exacerbated by the absence of input sanitization and output escaping for the w2c-definitions POST parameter, which is saved raw via update_option() and later echoed inside a <textarea> element. This combination permits stored XSS payloads to execute in the WordPress admin interface when the settings page is accessed by an administrator.
Potential Impact
Successful exploitation allows an attacker to inject and store arbitrary JavaScript code that executes in the context of the WordPress admin panel. This can lead to session hijacking, privilege escalation, or other malicious actions performed with administrator privileges. The CVSS score is 6.1 (medium severity), reflecting the network attack vector, no privileges required, and impact on confidentiality and integrity but not availability.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or vendor advisory is available at this time. Until a patch is released, administrators should avoid visiting the plugin's settings page or disable the plugin to prevent exploitation. Monitor official vendor channels for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-15T20:14:16.470Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0d1a61ba1db473621f7ad5
Added to database: 5/20/2026, 2:20:17 AM
Last enriched: 5/20/2026, 2:48:29 AM
Last updated: 5/20/2026, 6:16:50 PM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.