Description
The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all user-supplied fields and missing output escaping when rendering stored values. The settings handler fires solely on the presence of `$_POST['inq_hidden'] == 'Y'` with no call to `check_admin_referer()` and no WordPress nonce anywhere in the form or handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request that tricks a logged-in Administrator into visiting a malicious page.
Published: 2026-04-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Upgrade
AI Analysis

Impact

The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to a Cross‑Site Request Forgery that can lead to Stored Cross‑Site Scripting. An attacker can craft a forged POST request that satisfies the plugin’s settings handler, which only checks for a specific flag in the payload and lacks nonce validation. Because the handler stores the supplied data without proper sanitization, malicious scripts can be persisted in the plugin’s settings. When an authenticated administrator later accesses a page that renders these settings, the injected scripts execute in the administrator’s browser, allowing the attacker to run arbitrary JavaScript in the context of the site and its users.

Affected Systems

The flaw impacts the Inquiry Form to Posts or Pages plugin version 1.0 distributed by udamadu for WordPress. No other versions or products are listed as affected.

Risk and Exploitability

This vulnerability has a CVSS score of 4.3, indicating moderate severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog, suggesting limited exploitation evidence. The attack relies on the presence of a logged‑in administrator who is tricked into visiting a malicious page; an unauthenticated attacker can trigger the flaw via CSRF, but the need for a privileged victim reduces the overall risk compared to a publicly exploitable vulnerability. Nevertheless, the combination of CSRF and stored XSS can compromise site integrity if an attacker succeeds.

Generated by OpenCVE AI on April 15, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of the Inquiry Form to Posts or Pages plugin (if available) or replace it with a secure alternative.
  • If an upgrade is not possible, add WordPress nonce verification (e.g., check_admin_referer()) to the settings handler or remove the handler altogether to block unauthenticated POST requests, and ensure all user‑supplied fields are properly sanitized and output‑escaped.
  • Remove any injected scripts from the stored plugin settings and re‑initialize default values to guarantee that no malicious content remains.

Generated by OpenCVE AI on April 15, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Udamadu
Udamadu inquiry Form To Posts Or Pages
Wordpress
Wordpress wordpress
Vendors & Products Udamadu
Udamadu inquiry Form To Posts Or Pages
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all user-supplied fields and missing output escaping when rendering stored values. The settings handler fires solely on the presence of `$_POST['inq_hidden'] == 'Y'` with no call to `check_admin_referer()` and no WordPress nonce anywhere in the form or handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request that tricks a logged-in Administrator into visiting a malicious page.
Title Inquiry form to posts or pages <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'inq_header' Parameter
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Udamadu Inquiry Form To Posts Or Pages
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-16T13:38:48.144Z

Reserved: 2026-04-14T18:01:57.897Z

Link: CVE-2026-6293

cve-icon Vulnrichment

Updated: 2026-04-16T13:38:44.322Z

cve-icon NVD

Status : Deferred

Published: 2026-04-15T07:16:12.340

Modified: 2026-04-22T20:23:16.350

Link: CVE-2026-6293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:53:29Z

Weaknesses