cleantalk
Vulnerabilities and Security Researches

Word 2 Cash, CVE-2026-6395

CVE, Research URL

CVE-2026-6395

Home page URL

Security reports for Word 2 Cash

Application

Word 2 Cash

Published on
May 20, 2026
Research Description
The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a <textarea> element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited.
Affected versions
max 0.9.2.
Status
vulnerable
Previous vulnerability researches
BLOGCHAT Chat System (CVE-2026-8420) , May 23, 2026
New vulnerability
Online Service Booking System &amp; Reservation Plugin &#8211; WpBookingly (CVE-2026-27405) , May 23, 2026
Anomify AI &#8211; Anomaly Detection and Alerting (CVE-2026-6405) , May 23, 2026
Anomify AI &#8211; Anomaly Detection and Alerting (CVE-2026-6404) , May 23, 2026
Salon booking system (CVE-2026-42666) , May 23, 2026
Error Log Monitor, Activity Logs, User Activity Tracking from Logtivity (CVE-2026-42673) , May 23, 2026