cleantalk
Vulnerabilities and Security Researches

Word 2 Cash, CVE-2026-6395

CVE, Research URL

CVE-2026-6395

Home page URL

Security reports for Word 2 Cash

Application

Word 2 Cash

Published on
May 20, 2026
Research Description
The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a <textarea> element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited.
Affected versions
max 0.9.2.
Status
vulnerable
Previous vulnerability researches
Ultimate Classified Listings (CVE-2024-52487) , Nov 23, 2024
Ultimate Classified Listings (CVE-2024-52448) , Nov 22, 2024
Ultimate Classified Listings (CVE-2024-13753) , Feb 22, 2025
Ultimate Classified Listings (CVE-2024-13748) , Feb 22, 2025
Ultimate Classified Listings (CVE-2024-5882) , Jul 17, 2024
New vulnerability
Amazon Scraper (CVE-2026-8419) , May 23, 2026
WPB Floating Menu or Categories &#8211; Sticky Floating Side Menu &amp; Categories with Icons (CVE-2026-4811) , May 23, 2026
Online Service Booking System &amp; Reservation Plugin &#8211; WpBookingly (CVE-2026-27405) , May 23, 2026
Anomify AI &#8211; Anomaly Detection and Alerting (CVE-2026-6405) , May 23, 2026
Anomify AI &#8211; Anomaly Detection and Alerting (CVE-2026-6404) , May 23, 2026