Description
The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd_ic_settings_page function when processing settings form submissions. This makes it possible for unauthenticated attackers to update the plugin's settings, including injecting malicious scripts that will be stored and executed in the admin area, via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Published: 2026-04-22
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery leading to arbitrary script injection in the WordPress admin area
Action: Immediate Patch
AI Analysis

Impact

Missing nonce verification in the plugin’s settings form allows an attacker who can trick an administrator into clicking a crafted link to submit forged requests. This upload of arbitrary data can change configuration options and inject malicious scripts that will run when the admin page is loaded, giving the attacker a foothold in the site’s privileged backend.

Affected Systems

The vulnerability affects the Inquiry Cart WordPress plugin from Ravenster, specifically versions 3.4.2 and earlier. Site administrators using these older releases are at risk.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog, implying it is not a widely exploited known vulnerability. Attackers need to lure an administrator into clicking a malicious link or inserting a forged form request, which is a commonly exploited CSRF pattern. Because the plugin stores the attacker’s payload, any subsequent interaction with the plugin’s admin pages will execute the injected code, potentially leading to full admin compromise.

Generated by OpenCVE AI on April 22, 2026 at 09:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Inquiry Cart plugin to the latest version that includes nonce verification.
  • If an upgrade is not possible, disable or delete the plugin’s settings page to prevent unauthorized changes.
  • Restrict access to the WordPress admin area to trusted roles and enable two‑factor authentication to reduce the success of CSRF attempts.

Generated by OpenCVE AI on April 22, 2026 at 09:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/inquiry-cart-shortcode.php#L32 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/inquiry-cart-shortcode.php#L34 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L21 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L46 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L47 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L48 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L49 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L6 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/inquiry-cart-shortcode.php#L32 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/inquiry-cart-shortcode.php#L34 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L21 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L46 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L47 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L48 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L49 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L6 cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/772e9b2b-b2d5-4950-804b-d0914004710c?source=cve cve-icon cve-icon
History

Wed, 22 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Ravster
Ravster inquiry Cart
Wordpress
Wordpress wordpress
Vendors & Products Ravster
Ravster inquiry Cart
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd_ic_settings_page function when processing settings form submissions. This makes it possible for unauthenticated attackers to update the plugin's settings, including injecting malicious scripts that will be stored and executed in the admin area, via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Title Inquiry cart <= 3.4.2 - Cross-Site Request Forgery via Settings Form
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Ravster Inquiry Cart
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T15:59:46.866Z

Reserved: 2026-03-12T21:14:19.934Z

Link: CVE-2026-4090

cve-icon Vulnrichment

Updated: 2026-04-22T15:53:07.550Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:22.867

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-4090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T09:45:12Z

Weaknesses