CVE-2026-6293: CWE-352 Cross-Site Request Forgery (CSRF) in udamadu Inquiry form to posts or pages
CVE-2026-6293 is a medium severity vulnerability in the WordPress plugin 'Inquiry Form to Posts or Pages' version 1. 0. It allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) attacks that lead to Stored Cross-Site Scripting (XSS). This occurs because the plugin lacks nonce validation on its settings update handler and does not sanitize or escape user-supplied input properly. An attacker can trick a logged-in Administrator into visiting a malicious page, causing arbitrary scripts to be injected and stored via a forged request.
AI Analysis
Technical Summary
The 'Inquiry Form to Posts or Pages' WordPress plugin version 1.0 is vulnerable to CSRF resulting in stored XSS due to missing nonce validation on the settings update handler and insufficient input sanitization and output escaping. The handler triggers on a POST parameter without verifying a WordPress nonce, allowing unauthenticated attackers to craft malicious requests that execute arbitrary scripts when an administrator visits a malicious page.
Potential Impact
An attacker can exploit this vulnerability to inject and store malicious scripts in the plugin settings by tricking an administrator into submitting a forged request. This can lead to stored XSS, potentially allowing script execution in the context of the administrator's browser session. The CVSS score of 4.3 reflects a medium impact with low complexity and no required privileges but requires user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should avoid visiting untrusted or suspicious pages while logged into WordPress with administrative privileges. Monitoring for plugin updates from the vendor is recommended to apply an official fix once released.
CVE-2026-6293: CWE-352 Cross-Site Request Forgery (CSRF) in udamadu Inquiry form to posts or pages
Description
CVE-2026-6293 is a medium severity vulnerability in the WordPress plugin 'Inquiry Form to Posts or Pages' version 1. 0. It allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) attacks that lead to Stored Cross-Site Scripting (XSS). This occurs because the plugin lacks nonce validation on its settings update handler and does not sanitize or escape user-supplied input properly. An attacker can trick a logged-in Administrator into visiting a malicious page, causing arbitrary scripts to be injected and stored via a forged request.
CVSS v3.1
Score 4.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'Inquiry Form to Posts or Pages' WordPress plugin version 1.0 is vulnerable to CSRF resulting in stored XSS due to missing nonce validation on the settings update handler and insufficient input sanitization and output escaping. The handler triggers on a POST parameter without verifying a WordPress nonce, allowing unauthenticated attackers to craft malicious requests that execute arbitrary scripts when an administrator visits a malicious page.
Potential Impact
An attacker can exploit this vulnerability to inject and store malicious scripts in the plugin settings by tricking an administrator into submitting a forged request. This can lead to stored XSS, potentially allowing script execution in the context of the administrator's browser session. The CVSS score of 4.3 reflects a medium impact with low complexity and no required privileges but requires user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should avoid visiting untrusted or suspicious pages while logged into WordPress with administrative privileges. Monitoring for plugin updates from the vendor is recommended to apply an official fix once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-14T18:01:57.897Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69df37e082d89c981f89f024
Added to database: 4/15/2026, 7:01:52 AM
Last enriched: 4/22/2026, 11:13:41 PM
Last updated: 5/31/2026, 4:04:11 AM
Views: 139
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.