WordPress Word 2 Cash Plugin Cross-Site Request Forgery Vulnerability Allowing Stored Cross-Site Scripting

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Word 2 Cash plugin for WordPress, affecting versions through 0.9.2. This vulnerability allows unauthenticated attackers to send requests on behalf of logged-in administrators, leading to Stored Cross-Site Scripting (XSS) issues. The problem arises from the lack of nonce verification in the settings save handler, combined with inadequate input sanitization before data is saved and missing output escaping when the stored data is displayed. Specifically, the 'w2c-definitions' POST parameter is saved without modification using 'update_option()' and is later output without escaping in a <textarea> element. As a result, any JavaScript payloads injected are executed in the WordPress admin panel whenever the settings page is accessed.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, leading to Stored Cross-Site Scripting. Injected JavaScript is executed in the context of the WordPress admin panel, potentially allowing for more severe actions to be carried out with administrative privileges.