Stored Cross-Site Scripting in Inquiry Form to Posts or Pages Plugin by WordPress
CVE-2026-5169

4.4MEDIUM

Key Information:

Vendor

WordPress
Status
Inquiry Form To Posts Or Pages
Vendor
CVE Published:
8 April 2026

What is CVE-2026-5169?

The Inquiry Form to Posts or Pages plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping. Specifically, the vulnerability arises from improper handling of the 'Form Header' field in plugin settings, allowing authenticated attackers with administrator privileges to inject arbitrary scripts. These scripts can execute when users access the settings page or view any page utilizing the [inquiry_form] shortcode, posing significant risks to site security.

Affected Version(s)

Inquiry form to posts or pages 0 <= 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/inquiry-form-t...
https://plugins.trac.wordpress.org/browser/inquiry-form-t...

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Nur Ibnu Hubab
.