Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all user-supplied fields and missing output escaping when rendering stored values. The settings handler fires solely on the presence of $_POST['inq_hidden'] == 'Y' with no call to check_admin_referer() and no WordPress nonce anywhere in the form or handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request that tricks a logged-in Administrator into visiting a malicious page.
AnalysisAI
Cross-site request forgery leading to stored cross-site scripting in Inquiry Form to Posts or Pages plugin version 1.0 for WordPress allows unauthenticated attackers to inject arbitrary scripts into administrator settings. The vulnerability stems from missing nonce validation on the settings update handler combined with insufficient input sanitization and output escaping, enabling an attacker to craft a malicious request that, when visited by a logged-in administrator, stores persistent XSS payloads. With a CVSS score of 4.3 and no evidence of public exploitation, this represents a moderate-severity threat requiring administrator interaction.
Technical ContextAI
The Inquiry Form to Posts or Pages WordPress plugin processes form settings through a handler that checks only for the presence of $_POST['inq_hidden'] == 'Y' without implementing WordPress security functions like check_admin_referer() or nonce verification. WordPress nonces are cryptographic tokens designed to prevent cross-site request forgery by validating that state-changing requests originate from the application itself rather than third-party sites. The plugin's settings fields accept user input without proper sanitization using WordPress functions such as sanitize_text_field(), and stored values are rendered in the admin interface without escaping via functions like esc_attr() or esc_html(). This combination of missing CSRF protection (CWE-352) and insufficient output encoding creates a stored XSS condition where maliciously injected JavaScript persists in the plugin configuration and executes in administrator browsers. The vulnerability affects the Inquiry Form to Posts or Pages plugin distributed via plugins.trac.wordpress.org, specifically impacting version 1.0 as identified through CPE cpe:2.3:a:udamadu:inquiry_form_to_posts_or_pages.
RemediationAI
Update the Inquiry Form to Posts or Pages plugin to a patched version released after version 1.0. The primary remediation is to upgrade to the latest available version from the WordPress plugin repository, which should include nonce validation via WordPress functions such as wp_verify_nonce() and check_admin_referer(), along with proper input sanitization using sanitize_text_field() or equivalent functions and output escaping using esc_attr(), esc_html(), or contextually appropriate escaping functions. If no patched version is currently available, temporarily disable the plugin by removing it from the wp-content/plugins directory or deactivating it through the WordPress admin dashboard to prevent exploitation. Site administrators should verify that plugin settings are reviewed for any stored malicious content and remove such entries if present. Further details and patches are available through the Wordfence vulnerability disclosure at https://www.wordfence.com/threat-intel/vulnerabilities/id/6abd3968-a8e7-4b40-bb7e-387bab10eba9 and the WordPress plugin repository source code at https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22842
GHSA-89r9-x6mh-w4fq