Cross-Site Request Forgery Vulnerability in Inquiry Cart Plugin for WordPress
CVE-2026-4090

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Inquiry Cart
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-4090?

The Inquiry Cart plugin for WordPress contains a Cross-Site Request Forgery vulnerability that affects all versions up to and including 3.4.2. Due to a lack of nonce verification in the rd_ic_settings_page function, unauthenticated attackers can exploit this flaw to modify the plugin's settings. This could allow the injection of malicious scripts, which would be stored and executed in the admin area, potentially leading to unauthorized administrative actions if an administrator is tricked into clicking a malicious link.

Affected Version(s)

Inquiry cart 0 <= 3.4.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/inquiry-cart/t...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 12, 2026

Credit

Muhammad Nur Ibnu Hubab

CVE-2026-4090 Data

JSON