{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6293", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-14T18:01:57.897Z", "datePublished": "2026-04-15T06:46:18.890Z", "dateUpdated": "2026-04-16T13:38:48.144Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T06:46:18.890Z"}, "affected": [{"vendor": "udamadu", "product": "Inquiry form to posts or pages", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all user-supplied fields and missing output escaping when rendering stored values. The settings handler fires solely on the presence of `$_POST['inq_hidden'] == 'Y'` with no call to `check_admin_referer()` and no WordPress nonce anywhere in the form or handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request that tricks a logged-in Administrator into visiting a malicious page."}], "title": "Inquiry form to posts or pages <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'inq_header' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6abd3968-a8e7-4b40-bb7e-387bab10eba9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L63"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L63"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inquery_form_to_posts_or_pages.php#L139"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inquery_form_to_posts_or_pages.php#L139"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-04-14T18:02:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T13:38:39.709147Z", "id": "CVE-2026-6293", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:38:48.144Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6293", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T13:38:39.709147Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:38:44.322Z"}}], "cna": {"title": "Inquiry form to posts or pages <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'inq_header' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "udamadu", "product": "Inquiry form to posts or pages", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-14T18:02:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6abd3968-a8e7-4b40-bb7e-387bab10eba9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L63"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L63"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inquery_form_to_posts_or_pages.php#L139"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inquery_form_to_posts_or_pages.php#L139"}], "descriptions": [{"lang": "en", "value": "The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all user-supplied fields and missing output escaping when rendering stored values. The settings handler fires solely on the presence of `$_POST['inq_hidden'] == 'Y'` with no call to `check_admin_referer()` and no WordPress nonce anywhere in the form or handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request that tricks a logged-in Administrator into visiting a malicious page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T06:46:18.890Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6293", "state": "PUBLISHED", "dateUpdated": "2026-04-16T13:38:48.144Z", "dateReserved": "2026-04-14T18:01:57.897Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-15T06:46:18.890Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all user-supplied fields and missing output escaping when rendering stored values. The settings handler fires solely on the presence of `$_POST['inq_hidden'] == 'Y'` with no call to `check_admin_referer()` and no WordPress nonce anywhere in the form or handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request that tricks a logged-in Administrator into visiting a malicious page."}], "id": "CVE-2026-6293", "lastModified": "2026-04-15T07:16:12.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-15T07:16:12.340", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L180"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L60"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L63"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inquery_form_to_posts_or_pages.php#L139"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L180"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L60"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L63"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inquery_form_to_posts_or_pages.php#L139"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6abd3968-a8e7-4b40-bb7e-387bab10eba9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Inquiry form to posts or pages", "source": "cna", "vendor": "udamadu"}, "product": "inquiry_form_to_posts_or_pages", "vendor": "udamadu"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T08:20:52.968313+00:00", "value": {"mitigation_remediation": ["Upgrade to a patched version of the Inquiry Form to Posts or Pages plugin (if available) or replace it with a secure alternative.", "If an upgrade is not possible, add WordPress nonce verification (e.g., check_admin_referer()) to the settings handler or remove the handler altogether to block unauthenticated POST requests, and ensure all user\u2011supplied fields are properly sanitized and output\u2011escaped.", "Remove any injected scripts from the stored plugin settings and re\u2011initialize default values to guarantee that no malicious content remains."], "summary": {"action": "Upgrade", "impact": "Stored Cross\u2011Site Scripting via CSRF"}, "threat_synthesis": {"affected_systems": "The flaw impacts the Inquiry Form to Posts or Pages plugin version\u202f1.0 distributed by udamadu for WordPress. No other versions or products are listed as affected.", "description_and_impact": "The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to a Cross\u2011Site Request Forgery that can lead to Stored Cross\u2011Site Scripting. An attacker can craft a forged POST request that satisfies the plugin\u2019s settings handler, which only checks for a specific flag in the payload and lacks nonce validation. Because the handler stores the supplied data without proper sanitization, malicious scripts can be persisted in the plugin\u2019s settings. When an authenticated administrator later accesses a page that renders these settings, the injected scripts execute in the administrator\u2019s browser, allowing the attacker to run arbitrary JavaScript in the context of the site and its users.", "risk_and_exploitability": "This vulnerability has a CVSS score of 4.3, indicating moderate severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog, suggesting limited exploitation evidence. The attack relies on the presence of a logged\u2011in administrator who is tricked into visiting a malicious page; an unauthenticated attacker can trigger the flaw via CSRF, but the need for a privileged victim reduces the overall risk compared to a publicly exploitable vulnerability. Nevertheless, the combination of CSRF and stored XSS can compromise site integrity if an attacker succeeds."}}}}, "created": "2026-04-15T13:49:14.867607+00:00", "updated": "2026-04-15T14:53:29.091463+00:00", "vendors": ["udamadu", "udamadu$PRODUCT$inquiry_form_to_posts_or_pages", "wordpress", "wordpress$PRODUCT$wordpress"]}