Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 20 May 2026 12:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 20 May 2026 11:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Winking
Winking word 2 Cash Wordpress Wordpress wordpress |
|
| Vendors & Products |
Winking
Winking word 2 Cash Wordpress Wordpress wordpress |
Wed, 20 May 2026 02:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a <textarea> element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited. | |
| Title | Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page | |
| Weaknesses | CWE-352 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-05-20T12:06:13.297Z
Reserved: 2026-04-15T20:14:16.470Z
Link: CVE-2026-6395
Updated: 2026-05-20T12:05:59.627Z
Status : Deferred
Published: 2026-05-20T02:16:37.627
Modified: 2026-06-17T11:00:46.473
Link: CVE-2026-6395
No data.
OpenCVE Enrichment
Updated: 2026-05-20T10:38:10Z