Description
The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Form Header' field in versions up to and including 1.0. This is due to insufficient input sanitization when saving via update_option() and lack of output escaping when displaying the stored value. The vulnerability exists in two locations: (1) the plugin settings page at inq_form.php line 180 where the value is echoed into an HTML attribute without esc_attr(), and (2) the front-end shortcode output at inquery_form_to_posts_or_pages.php line 139 where the value is output in HTML content without esc_html(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that will execute whenever a user accesses the plugin settings page or views a page containing the [inquiry_form] shortcode.
Published: 2026-04-08
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that can run malicious scripts on the plugin settings page and on pages rendering the form shortcode
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the "Form Header" field of the WordPress Inquiry Form to Posts or Pages plugin version 1.0 and earlier. Insufficient sanitization when saving the field and insufficient escaping when rendering it allows an authenticated administrator to inject arbitrary JavaScript. The stored script will run whenever an administrator visits the plugin’s settings page or when any visitor loads a page containing the [inquiry_form] shortcode, potentially enabling session hijacking, defacement, or malicious redirection.

Affected Systems

Any WordPress site using the Inquiry Form to Posts or Pages plugin version 1.0 or older is affected regardless of the WordPress core version. Administrators with control over the plugin settings can introduce the flaw.

Risk and Exploitability

With a CVSS score of 4.4 this is a moderate‑severity issue that requires authenticated administrator access. No EPSS data is available and the flaw is not listed in the CISA KEV catalog, indicating no confirmed exploitation. The attack path involves logging into the WordPress admin area, entering malicious payloads into the "Form Header" field, and then having the script execute on future page renders for all site visitors.

Generated by OpenCVE AI on April 8, 2026 at 08:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of the Inquiry Form to Posts or Pages plugin (any version newer than 1.0)
  • If an update is not yet available, remove the stored header value or replace it with a benign string via the plugin settings or by editing the wp_options table directly
  • Restrict administrative privileges to trusted users; enforce strong, unique passwords and consider two‑factor authentication
  • Monitor site logs and user activity for unexpected changes to plugin settings or the injection of new scripts

Generated by OpenCVE AI on April 8, 2026 at 08:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Udamadu
Udamadu inquiry Form To Posts Or Pages
Wordpress
Wordpress wordpress
Vendors & Products Udamadu
Udamadu inquiry Form To Posts Or Pages
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Form Header' field in versions up to and including 1.0. This is due to insufficient input sanitization when saving via update_option() and lack of output escaping when displaying the stored value. The vulnerability exists in two locations: (1) the plugin settings page at inq_form.php line 180 where the value is echoed into an HTML attribute without esc_attr(), and (2) the front-end shortcode output at inquery_form_to_posts_or_pages.php line 139 where the value is output in HTML content without esc_html(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that will execute whenever a user accesses the plugin settings page or views a page containing the [inquiry_form] shortcode.
Title Inquiry form to posts or pages <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Form Header Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Udamadu Inquiry Form To Posts Or Pages
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-13T15:15:10.337Z

Reserved: 2026-03-30T15:11:06.066Z

Link: CVE-2026-5169

cve-icon Vulnrichment

Updated: 2026-04-13T15:12:08.515Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T07:16:23.030

Modified: 2026-04-24T18:15:28.940

Link: CVE-2026-5169

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:44Z

Weaknesses