Aperçu

On 1 June 2026 a stored Cross-Site Scripting vulnerability affecting the Word Replacer WordPress plugin (versions ≤ 0.4) was publicly disclosed and assigned CVE-2026-3620. The issue is an authenticated, administrator-only stored XSS — meaning a user with Administrator privileges in WordPress can save malicious input that is later rendered without proper escaping, causing JavaScript to execute in the browser of site visitors or other administrative users.

Although this vulnerability requires Administrator access to introduce the payload, the consequences can be severe: persistent account takeover, site defacement, backdoor installation, cookie/token theft, privilege escalation and lateral movement inside the site. The reported CVSS base score is 5.9 (medium), but practical risk depends heavily on whether an attacker can acquire or coerce an Administrator account (social engineering, reused passwords, compromised devices, rogue contractor, etc.).

This guidance summarises how the vulnerability works, realistic attack scenarios, detection indicators, containment and mitigation steps (including temporary fixes), longer-term hardening, and developer guidance to fix the root cause.

Credit: vulnerability disclosed in public advisory (CVE-2026-3620). Research credited to san6051 (COFFSec).

What is Stored XSS and why is an “authenticated admin” vector important?

Stored Cross-Site Scripting (XSS) occurs when an attacker stores a malicious script in server-side data (database, options table, posts, plugin settings, etc.) and that script is later delivered to other users without proper escaping or sanitization. Because the payload is persistent, many visitors and users can be affected over time.

An “authenticated administrator” qualifier means only accounts with Administrator capabilities can save the malicious payload. That reduces the immediate attack surface compared to unauthenticated bugs, but it remains dangerous because:

• Administrator accounts are frequent targets via phishing, credential stuffing and social engineering.
• Administrators can create content and persistent site data.
• An attacker can coerce an Administrator to paste or import payloads, or use a compromised admin to directly inject malicious entries.
• Stored XSS that renders in the admin dashboard can immediately compromise other administrative sessions.

Even “admin-only” stored XSS can lead to full site compromise when combined with real-world attacker techniques.

How the Word Replacer vulnerability works (high-level)

The core technical issue is straightforward:

1. The plugin exposes a UI for administrators to define replacement rules that are stored in the database.
2. When those settings are saved, the plugin fails to properly sanitize or validate the replacement content.
3. When the plugin renders those stored values on the front-end or in the admin dashboard, it outputs the content into HTML without escaping, allowing embedded JavaScript to execute.
4. The script runs with the site origin, enabling actions as the victim visitor or administrator.

Les modèles dangereux typiques incluent :

• Storing raw HTML or unescaped text and echoing it directly (e.g., echo $value;) instead of using esc_html(), esc_attr() or wp_kses().
• Building replacement strings that are inserted into page HTML or attributes without proper escaping.
• Allowing event handlers or javascript: URIs to be saved as part of entries.

Scénarios d'attaque réalistes

• Rogue administrator account: An attacker controlling an admin account installs replacement entries that inject JavaScript into pages and dashboards, enabling creation of new admins, theme edits, or REST API abuse.
• Compromised admin via phishing/credential reuse: An attacker tricks an Administrator into pasting or saving attacker-supplied replacement entries or clicking an import URL containing payloads.
• Third-party misuse: A contractor or agency with admin access introduces unescaped content.
• Targeted pivot: Stored XSS executes in the admin dashboard and steals authentication tokens or nonces, enabling further actions.

Although remote unauthenticated takeover is not available through this bug alone, social engineering and targeted compromise frequently bridge that gap.

Impact and typical attacker goals

Once the stored XSS executes, attackers commonly aim to:

• Steal session tokens and take over accounts.
• Create new Administrator users or elevate privileges.
• Install persistent backdoors (malicious plugins, modified themes, PHP uploads).
• Redirect visitors to scams or drive-by downloads.
• Display fraudulent content or inject monetisation code.
• Harvest customer data from forms, comments, or e-commerce pages.
• Pivot to hosting panels or APIs if credentials are present in the admin UI.

CVE and severity context

• Identifiant CVE : CVE-2026-3620
• Versions affectées : Word Replacer plugin ≤ 0.4
• Type : Cross-Site Scripting (XSS) stocké
• Privilège requis : Administrateur
• Patch status (at disclosure): No official plugin patch available
• CVSS base: 5.9
• Crédit de recherche : san6051 (COFFSec)

Even with a “medium” CVSS, treat this vulnerability as urgent for sites where admin accounts are at risk or where administrators accept input from third parties.

Detection — indicators of compromise

Key detection techniques:

1. Search the database for suspicious replacement rules or entries:

   Look for HTML tags (

   Vérifiez ma commande

   0

   Sous-total

   Taxes et frais de port calculés à la caisse

   Passer à la caisse