[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNQNa-A1GWr9pW_LNvgTy1jRw3I8lceAdvL7DLBxpyW4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-6395","word-2-cash-cross-site-request-forgeryto-stored-cross-site-scripting-via-settings-page","Word 2 Cash \u003C= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page","The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a \u003Ctextarea> element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited.","word-2-cash",null,"\u003C=0.9.2","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-19 12:03:57","2026-05-20 01:25:56",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe4c7ca5c-38aa-4413-83eb-29185cca2a74?source=api-prod",[],"researched",false,3,"I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or specific instructions for exploiting vulnerabilities, including those related to identified CVEs or WordPress plugins.\n\nI can, however, explain the security mechanics involved in this type of vulnerability or discuss how WordPress developers implement defenses against Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS).\n\n### General Security Context: CSRF and Stored XSS\n\n**Cross-Site Request Forgery (CSRF)** occurs when a web application processes a state-changing request (like updating settings or creating a user) without verifying that the request was intentionally initiated by the authenticated user. In WordPress, this is typically prevented by using \"nonces\"—one-time (or time-limited) tokens tied to a specific user and action.\n\nDevelopers prevent CSRF by:\n1.  **Generating a Nonce:** Using `wp_create_nonce('action_name')` or `wp_nonce_field('action_name')` in the form.\n2.  **Verifying the Nonce:** Using `check_admin_referer('action_name')` for admin pages or `check_ajax_referer('action_name')` for AJAX requests before processing the data.\n\n**Stored Cross-Site Scripting (XSS)** occurs when malicious scripts are saved by an application and later rendered in a user's browser without proper sanitization or escaping. When combined with CSRF, an attacker can trick an administrator into inadvertently saving a script that will execute whenever that administrator (or another user) visits the affected page.\n\nDevelopers prevent Stored XSS by:\n1.  **Input Sanitization:** Using functions like `sanitize_text_field()` or `absint()` before saving data to the database via `update_option()`.\n2.  **Output Escaping:** Ensuring that data retrieved from the database is escaped at the point of output using functions like `esc_html()`, `esc_attr()`, or `esc_textarea()`.\n\nFor more information on securing WordPress plugins, you can consult the [WordPress Plugin Handbook's Security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","The Word 2 Cash plugin for WordPress is vulnerable to a CSRF-to-Stored XSS attack because the w2c_admin() function lacks nonce verification and fails to sanitize or escape settings data. This allows an attacker to trick an administrator into submitting a malicious payload that stores arbitrary JavaScript, which then executes whenever the settings page is viewed.","\u002F\u002F word-2-cash.php (approximate line numbers based on vulnerability description)\nfunction w2c_admin() {\n    if ( isset( $_POST['w2c-definitions'] ) ) {\n        \u002F\u002F Vulnerable: No nonce verification (CSRF)\n        \u002F\u002F Vulnerable: No input sanitization (Stored XSS)\n        update_option( 'w2c-definitions', $_POST['w2c-definitions'] );\n    }\n\n    $definitions = get_option( 'w2c-definitions' );\n\n    echo '\u003Cform method=\"post\">';\n    \u002F\u002F Vulnerable: Missing esc_textarea() on output (Stored XSS)\n    echo '\u003Ctextarea name=\"w2c-definitions\" rows=\"10\" cols=\"50\">' . $definitions . '\u003C\u002Ftextarea>';\n    echo '\u003Cinput type=\"submit\" value=\"Save Definitions\">';\n    echo '\u003C\u002Fform>';\n}","--- word-2-cash.php\n+++ word-2-cash.php\n@@ -2,11 +2,14 @@\n function w2c_admin() {\n-    if ( isset( $_POST['w2c-definitions'] ) ) {\n-        update_option( 'w2c-definitions', $_POST['w2c-definitions'] );\n+    if ( isset( $_POST['w2c-definitions'] ) ) {\n+        check_admin_referer( 'w2c_save_settings', 'w2c_nonce' );\n+        update_option( 'w2c-definitions', sanitize_textarea_field( $_POST['w2c-definitions'] ) );\n     }\n \n-    $definitions = get_option( 'w2c-definitions' );\n+    $definitions = get_option( 'w2c-definitions', '' );\n \n     echo '\u003Cform method=\"post\">';\n+    wp_nonce_field( 'w2c_save_settings', 'w2c_nonce' );\n-    echo '\u003Ctextarea name=\"w2c-definitions\" rows=\"10\" cols=\"50\">' . $definitions . '\u003C\u002Ftextarea>';\n+    echo '\u003Ctextarea name=\"w2c-definitions\" rows=\"10\" cols=\"50\">' . esc_textarea( $definitions ) . '\u003C\u002Ftextarea>';\n     echo '\u003Cinput type=\"submit\" value=\"Save Definitions\">';\n     echo '\u003C\u002Fform>';","The exploit targets the missing CSRF protection in the settings save handler. 1. An attacker constructs a malicious HTML page containing a hidden form or a cross-site POST request targeting the Word 2 Cash settings page in the WordPress admin panel. 2. The payload for the 'w2c-definitions' parameter includes an XSS vector such as '\u003C\u002Ftextarea>\u003Cscript>alert(document.domain)\u003C\u002Fscript>'. 3. The attacker tricks a logged-in administrator into visiting the malicious page. 4. The administrator's browser automatically sends the POST request to the plugin's settings handler. 5. Because there is no nonce check, the plugin saves the malicious script into the database. 6. Whenever an administrator visits the Word 2 Cash settings page, the script executes because the value is rendered directly inside a textarea without proper escaping.","gemini-3-flash-preview","2026-05-20 17:04:59","2026-05-20 17:05:24",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fword-2-cash\u002Ftags"]