EUVD-2026-22842

| CVE-2026-6293 MEDIUM
2026-04-15 Wordfence
WordPress CSRF XSS Inquiry Form To Posts Or Pages
4.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 15, 2026 - 07:21 vuln.today

DescriptionNVD

The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all user-supplied fields and missing output escaping when rendering stored values. The settings handler fires solely on the presence of $_POST['inq_hidden'] == 'Y' with no call to check_admin_referer() and no WordPress nonce anywhere in the form or handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request that tricks a logged-in Administrator into visiting a malicious page.

AnalysisAI

Cross-site request forgery leading to stored cross-site scripting in Inquiry Form to Posts or Pages plugin version 1.0 for WordPress allows unauthenticated attackers to inject arbitrary scripts into administrator settings. The vulnerability stems from missing nonce validation on the settings update handler combined with insufficient input sanitization and output escaping, enabling an attacker to craft a malicious request that, when visited by a logged-in administrator, stores persistent XSS payloads. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-22842 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy