MEDIUM 4.4

CVE-2026-3620: Word Replacer Plugin WordPress Stored XSS Vulnerability

The Word Replacer plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 0.4. An attacker with administrator-level access can inject malicious scripts through the plugin's 'replacement' parameter. These scripts persist in the WordPress database and execute whenever any user visits an affected page, potentially allowing credential theft, session hijacking, or defacement. The vulnerability stems from inadequate input validation and output encoding in the plugin code.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.4 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-20
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

The Word Replacer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'replacement' parameter in all versions up to, and including, 0.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

9 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-3620 is a Stored XSS vulnerability in the Word Replacer WordPress plugin caused by insufficient sanitization of the 'replacement' parameter and lack of proper output escaping. The flaw allows high-privileged authenticated users to inject arbitrary JavaScript that persists server-side and executes in the browser context of subsequent visitors. The vulnerability is classified as CWE-20 (Improper Input Validation) and carries a CVSS 3.1 score of 4.4 (MEDIUM severity). The attack vector is network-based, though it requires high privilege escalation (administrator role) and human interaction is not necessary for payload execution once injected.

Business impact

While this vulnerability requires administrator credentials to exploit, it represents a significant insider threat and privilege-abuse risk. Malicious administrators or compromised admin accounts can deface site content, redirect visitors to phishing sites, inject malware, or capture sensitive user data. For WordPress sites with multiple administrators or shared hosting environments, the risk compounds. The reputational damage and potential legal liability from serving malicious content to end users should not be underestimated, particularly for e-commerce or financial services sites.

Affected systems

All versions of the Word Replacer plugin for WordPress up to and including version 0.4 are affected. The vulnerability impacts WordPress installations that have this plugin installed and activated, regardless of WordPress core version. No other products or vendors are mentioned in available CVE data. Exposure is limited to sites where the plugin is present; however, administrators should verify their installed version against the vendor advisory to confirm patch availability.

Exploitability

Exploitation requires authentication as a WordPress administrator or higher-privileged role, which significantly restricts the attack surface. No public exploit code is documented in the KEV catalog (this CVE is not listed as known exploited in the wild). However, the barrier to entry is lower in environments with multiple admins, delegated admin privileges, or where admin credentials have been compromised through phishing or weak password practices. Once injected, the payload executes automatically without requiring further user interaction, making detection and remediation complex.

Remediation

Update the Word Replacer plugin to a patched version released after 0.4. Site administrators should immediately audit plugin versions across their WordPress installations and prioritize updates. Until patching is possible, consider disabling the Word Replacer plugin if it is not mission-critical. Additionally, audit WordPress administrator accounts for unauthorized access and review recent plugin settings changes in the WordPress audit logs to detect any malicious injections already present.

Patch guidance

Check the official Word Replacer plugin repository on WordPress.org or the vendor's website for version 0.5 or later, which should address this vulnerability. Verify the patch details against the vendor advisory before deployment. Most WordPress sites can update plugins directly through the WordPress admin dashboard (Plugins → Installed Plugins → Update). Test the update in a staging environment first to ensure compatibility with your other plugins and theme. After updating, verify that the Word Replacer functionality works as expected and that no injected content remains in your site database.

Detection guidance

Monitor WordPress audit logs and database activity for modifications to the Word Replacer plugin settings or suspicious changes to the 'replacement' parameter values. Look for unusual JavaScript or HTML in replacement text stored in the database—legitimate use cases typically involve simple text strings, not code. Use WordPress security plugins that scan for stored XSS or malicious content injection. Consider implementing a Web Application Firewall (WAF) rule to flag attempts to store script tags or event handlers in plugin parameters. Regularly audit administrator account activity and permission changes.

Why prioritize this

Although rated MEDIUM severity, this vulnerability merits prompt attention due to its persistence (stored XSS), broad impact (affects all site visitors), and the insider-threat nature of the attack. The moderate CVSS score reflects the requirement for high-level privileges, but the reputational and operational risks of a compromised administrator injecting malicious content should not be minimized. Prioritize patching for public-facing or customer-critical WordPress sites within 30 days.

Risk score, explained

The CVSS 3.1 score of 4.4 reflects: (1) network-based attack vector with no special network access required; (2) high privilege requirement (PR:H), significantly limiting exploitability; (3) high complexity (AC:H), meaning specific conditions or user circumstances must be present; (4) scope change (S:C), meaning the vulnerability affects resources beyond the vulnerable component; and (5) limited impact—low confidentiality and integrity impact, no availability impact. The score appropriately balances the severity of stored XSS against the privilege barrier that prevents opportunistic exploitation.

Frequently asked questions

Do I need to update Word Replacer if I only have one administrator account that I trust?

Yes. Even with a single trusted admin, your WordPress installation could be compromised through password reuse, phishing, malware on a developer's workstation, or hosting provider vulnerabilities. Once an attacker gains admin access—intentionally or through compromise—they can inject malicious content affecting all your visitors. Patching eliminates this attack vector entirely.

Can I detect if this vulnerability has already been exploited on my site?

Check your WordPress database for suspicious JavaScript or HTML entities in the Word Replacer plugin settings. Review your site's front-end pages for unexpected content, redirects, or analytics code that shouldn't be there. Most WordPress security plugins can scan for stored XSS signatures. However, thorough detection may require database queries or Web Application Firewall logs to identify injection attempts or anomalous plugin configuration changes around the CVE publication date.

Is this vulnerability exploitable remotely without administrator credentials?

No. The vulnerability explicitly requires authenticated access with administrator-level privileges. Unauthenticated attackers cannot exploit it. However, if your WordPress site has been compromised or administrator credentials have been stolen, this becomes a critical post-exploitation technique for persistence and site-wide malware injection.

What should I do if I cannot update immediately?

Disable the Word Replacer plugin if it is not essential to your site operations. If you must keep it active, implement strict WordPress security measures: limit administrator access to trusted IP addresses, enforce strong password policies, enable two-factor authentication for admin accounts, and monitor login attempts closely. Consider a Web Application Firewall rule to block requests that inject JavaScript or HTML into plugin parameters. Plan an emergency update window within 7 days.

This analysis is based on CVE-2026-3620 data published as of June 2026. Patch version numbers and release dates should be verified directly with the Word Replacer plugin vendor or WordPress.org plugin repository, as they may not be reflected in this CVE record. No public exploit code is known; however, proof-of-concept details should not be shared or published. This vulnerability requires administrator authentication; non-administrators should not be able to exploit it. Organizations should test patches in non-production environments before broad deployment. SEC.co does not provide legal advice; organizations should consult their internal security and legal teams regarding compliance reporting obligations for this vulnerability. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).