Stored Cross-Site Scripting Vulnerability in Word Replacer Plugin for WordPress
CVE-2026-3620

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Word Replacer
Vendor: CVE Published:; 2 June 2026

What is CVE-2026-3620?

The Word Replacer plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'replacement' parameter. All versions up to and including 0.4 lack sufficient input sanitization and output escaping. This vulnerability permits authenticated attackers with Administrator-level access to inject arbitrary scripts into pages. These scripts will execute whenever users access an impacted page, potentially leading to unauthorized actions or data exposure.

Affected Version(s)

Word Replacer 0 <= 0.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/word-replacer/...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Mar 5, 2026

Credit

san6051

CVE-2026-3620 Data

JSON