Skip to main content

WordPress EUVDEUVD-2026-22842

| CVE-2026-6293 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-15 Wordfence GHSA-89r9-x6mh-w4fq
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 07:21 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 07:15 euvd
EUVD-2026-22842
Analysis Generated
Apr 15, 2026 - 07:15 vuln.today
CVE Published
Apr 15, 2026 - 06:46 nvd
MEDIUM 4.3

DescriptionCVE.org

The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all user-supplied fields and missing output escaping when rendering stored values. The settings handler fires solely on the presence of $_POST['inq_hidden'] == 'Y' with no call to check_admin_referer() and no WordPress nonce anywhere in the form or handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request that tricks a logged-in Administrator into visiting a malicious page.

AnalysisAI

Cross-site request forgery leading to stored cross-site scripting in Inquiry Form to Posts or Pages plugin version 1.0 for WordPress allows unauthenticated attackers to inject arbitrary scripts into administrator settings. The vulnerability stems from missing nonce validation on the settings update handler combined with insufficient input sanitization and output escaping, enabling an attacker to craft a malicious request that, when visited by a logged-in administrator, stores persistent XSS payloads. With a CVSS score of 4.3 and no evidence of public exploitation, this represents a moderate-severity threat requiring administrator interaction.

Technical ContextAI

The Inquiry Form to Posts or Pages WordPress plugin processes form settings through a handler that checks only for the presence of $_POST['inq_hidden'] == 'Y' without implementing WordPress security functions like check_admin_referer() or nonce verification. WordPress nonces are cryptographic tokens designed to prevent cross-site request forgery by validating that state-changing requests originate from the application itself rather than third-party sites. The plugin's settings fields accept user input without proper sanitization using WordPress functions such as sanitize_text_field(), and stored values are rendered in the admin interface without escaping via functions like esc_attr() or esc_html(). This combination of missing CSRF protection (CWE-352) and insufficient output encoding creates a stored XSS condition where maliciously injected JavaScript persists in the plugin configuration and executes in administrator browsers. The vulnerability affects the Inquiry Form to Posts or Pages plugin distributed via plugins.trac.wordpress.org, specifically impacting version 1.0 as identified through CPE cpe:2.3:a:udamadu:inquiry_form_to_posts_or_pages.

RemediationAI

Update the Inquiry Form to Posts or Pages plugin to a patched version released after version 1.0. The primary remediation is to upgrade to the latest available version from the WordPress plugin repository, which should include nonce validation via WordPress functions such as wp_verify_nonce() and check_admin_referer(), along with proper input sanitization using sanitize_text_field() or equivalent functions and output escaping using esc_attr(), esc_html(), or contextually appropriate escaping functions. If no patched version is currently available, temporarily disable the plugin by removing it from the wp-content/plugins directory or deactivating it through the WordPress admin dashboard to prevent exploitation. Site administrators should verify that plugin settings are reviewed for any stored malicious content and remove such entries if present. Further details and patches are available through the Wordfence vulnerability disclosure at https://www.wordfence.com/threat-intel/vulnerabilities/id/6abd3968-a8e7-4b40-bb7e-387bab10eba9 and the WordPress plugin repository source code at https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-22842 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy