VYPR
← All advisories
Medium severity4.4NVD Advisory· Published Jun 2, 2026· Updated Jun 2, 2026

CVE-2026-3620

CVE-2026-3620

Description

WordPress Word Replacer plugin versions up to 0.4 are vulnerable to stored XSS via the 'replacement' parameter, allowing authenticated admins to inject scripts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WordPress Word Replacer plugin versions up to 0.4 are vulnerable to stored XSS via the 'replacement' parameter, allowing authenticated admins to inject scripts.

Vulnerability

The Word Replacer plugin for WordPress, in all versions up to and including 0.4, suffers from a Stored Cross-Site Scripting (XSS) vulnerability. This is due to insufficient sanitization and output escaping of the replacement parameter. The vulnerability is present in the plugin's core functionality.

Exploitation

An authenticated attacker with Administrator-level privileges or higher can exploit this vulnerability. The attacker needs to inject arbitrary web scripts into pages by manipulating the replacement parameter. These scripts will then execute whenever a user accesses a page containing the injected content.

Impact

Successful exploitation allows an attacker to inject arbitrary web scripts into pages. When users access these pages, the injected scripts will execute in their browser context. This can lead to various malicious actions, such as session hijacking, defacement, or redirection to malicious sites, depending on the injected script.

Mitigation

There is no specific mitigation or patched version information available in the provided references. Users are advised to disable or remove the plugin until a fix is released. The plugin's source code can be reviewed at [1], [2], [3], and [4].

References
  1. https://plugins.trac.wordpress.org/browser/word-replacer/tags/0.4/word-replacer.php#L230
  2. https://plugins.trac.wordpress.org/browser/word-replacer/tags/0.4/word-replacer.php#L191
  3. https://plugins.trac.wordpress.org/browser/word-replacer/trunk/word-replacer.php#L343
  4. https://plugins.trac.wordpress.org/browser/word-replacer/trunk/word-replacer.php#L339

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The plugin does not properly sanitize user input in the 'replacement' parameter before it is used in database queries or displayed."

Attack vector

An authenticated attacker with Administrator privileges can inject arbitrary web scripts into pages by leveraging the 'replacement' parameter. This occurs because the plugin fails to adequately sanitize and escape user-supplied data. When a user views a page containing the injected script, it will execute in their browser, potentially leading to further compromise.

Affected code

The vulnerability lies within the Word Replacer plugin, specifically in how it handles the 'replacement' parameter. The code responsible for inserting and updating these replacements can be found in the `word_replacer_post` function, which utilizes `esc_sql(trim($replacement[$i]))` for database operations and `htmlspecialchars_decode($this->esc_textarea($wrdb['replacement']))` when performing replacements [ref_id=1, ref_id=2].

What the fix does

The patch is not provided in the bundle. The advisory indicates that the vulnerability is due to insufficient input sanitization and output escaping in the 'replacement' parameter. Remediation would involve implementing proper sanitization and escaping mechanisms for this parameter to prevent script injection.

Preconditions

  • authAttacker must have Administrator-level access or above.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.