Word 2 Cash Security & Risk Analysis

wordpress.org/plugins/word-2-cash

Word 2 Cash is a free WordPress plugin. Its purpose is to turn specified keywords on your blog into links.

10 active installs v0.9.2 PHP + WP 2.8+ Updated Oct 26, 2009
affiliate-linkskeywordsseo
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEMay 19, 2026
Safety Verdict

Is Word 2 Cash Safe to Use in 2026?

Use With Caution

Score 63/100

Word 2 Cash has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: May 19, 2026Updated 16yr ago
Risk Assessment

The word-2-cash plugin version 0.9.2 exhibits a concerning security posture despite a lack of known CVEs or recorded vulnerabilities. The static analysis reveals a complete absence of any attack surface (AJAX handlers, REST API routes, shortcodes, cron events) with protection checks, which is a positive indicator. However, the code analysis shows significant weaknesses, particularly in output escaping, with 100% of outputs being unescaped. Furthermore, the taint analysis indicates two flows with unsanitized paths, suggesting potential vulnerabilities that could be exploited if an entry point were present. The absence of vulnerability history is good, but it doesn't negate the issues found in the code itself, which represent inherent risks.

Key Concerns

  • All outputs are unescaped
  • Taint flow with unsanitized path
  • Taint flow with unsanitized path
Vulnerabilities
1 published

Word 2 Cash Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-6395medium · 6.1Cross-Site Request Forgery (CSRF)

Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page

May 19, 2026Unpatched
Version History

Word 2 Cash Release Timeline

v0.9.2Current1 CVE
v0.9.11 CVE
Code Analysis
Analyzed Mar 16, 2026

Word 2 Cash Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
2
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped2 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
w2c_admin (word2cash.php:16)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Word 2 Cash Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 2
actionadmin_menuword2cash.php:11
filterthe_contentword2cash.php:47
Maintenance & Trust

Word 2 Cash Maintenance & Trust

Maintenance Signals

WordPress version tested2.8.5
Last updatedOct 26, 2009
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

Word 2 Cash Developer Profile

winking

2 plugins · 20 total installs

76
trust score
Avg Security Score
74/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Word 2 Cash

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes
wrap
Data Attributes
name="w2c-definitions"name="w2c-submitted"
FAQ

Frequently Asked Questions about Word 2 Cash