We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Word Replacer Plugin Vulnerability (CVE-2026-3620)

Nick Paliughi
On this page

Security Alert Summary

The Word Replacer plugin for WordPress contains a stored Cross-Site Scripting (XSS) vulnerability in the replacement parameter. Insufficient input sanitization and output escaping allow authenticated users with Administrator-level privileges or higher to inject arbitrary scripts that will execute when affected pages are viewed.

CVE Details

  • CVE ID: CVE-2026-3620
  • Affected component: Word Replacer plugin for WordPress
  • Affected versions: All versions up to and including 0.4
  • Published: June 2, 2026 at 9:16 AM UTC
  • Last modified: June 2, 2026 at 1:03 PM UTC
  • CVSS v3.1: Base Score 4.4 (MEDIUM) — Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
  • Attack vector: Network
  • Attack complexity: High
  • Privileges required: High (Administrator-level access or higher)
  • User interaction: None required
  • Scope: Changed
  • Impact: Confidentiality: Low; Integrity: Low; Availability: None
  • CWE / weakness: CWE-20

Technical Details

This issue is a stored Cross-Site Scripting (XSS) vulnerability caused by insufficient input sanitization and missing output escaping for the replacement parameter. An authenticated attacker with Administrator-level privileges or higher can store arbitrary web script in plugin-controlled content. When another user accesses a page containing the injected content, the script will execute in the context of the user’s browser.

The vulnerability exists because user-supplied data provided to the replacement parameter is not properly sanitized before storage and is not escaped when rendered, allowing HTML or script payloads to be persisted and later executed. The CVE description does not name specific functions or REST endpoints beyond the parameter, so remediation requires adding server-side input validation and proper output escaping where the replacement content is rendered.

Impact is limited to script execution in pages that include the injected replacement text. Given the privileges required to inject content, the most realistic attacker is an authenticated admin-level account. This vulnerability does not by itself indicate remote code execution on the server or full site takeover.

How This Could Impact Your Website

Consider a typical small business WordPress site with a site owner, internal staff who manage content, and an external contractor who contributes posts. If an administrator or another high-privilege user account is used to edit replacement entries and supplies a crafted payload in the replacement parameter, any page that displays that replacement can execute the injected script when viewed by other users.

Practical consequences include exposure of user session data visible in the browser, disclosure of internal user email addresses shown on affected pages, and an increased risk of targeted phishing or social engineering against staff who view the injected content. The vulnerability is stored XSS, so scripts execute in the context of the visiting user and can be used to perform actions available to that user in the browser.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor and editor roles with elevated privileges.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and audit logs for unusual behavior, including unexpected content changes or new replacement entries.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Really Simple Security Plugin Vulnerability (CVE-2026-8293)
Next Post
Kirki – Freeform Page Builder, Website Builder & Customizer Plugin Vulnerability (CVE-2026-8206)