ByteOS Network

winking

Source -

CNA

BOS Name -

N/A

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-6395

Assigner-Wordfence

View Details

Assigner-Wordfence

CVSS Score-6.1||MEDIUM

EPSS-Not Assigned

Published-20 May, 2026 | 01:25

Updated-20 May, 2026 | 02:16

Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a <textarea> element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited.

Vendor-winking

Product-Word 2 Cash

CWE ID-CWE-352

Cross-Site Request Forgery (CSRF)

CVE-2025-27273

Assigner-Patchstack

View Details

Assigner-Patchstack

CVSS Score-5.8||MEDIUM

EPSS-0.21% / 42.78%

7 Day CHG~0.00%

Published-03 Mar, 2025 | 13:30

Updated-28 Apr, 2026 | 16:11

WordPress Affiliate Links Manager Plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in winking Affiliate Links Manager affiliate-links-manager allows Reflected XSS.This issue affects Affiliate Links Manager: from n/a through <= 1.0.

Vendor-winking

Product-Affiliate Links Manager

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')