Cross-Site Request Forgery in Inquiry Form to Posts or Pages Plugin for WordPress
CVE-2026-6293

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Inquiry Form To Posts Or Pages
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-6293?

The Inquiry Form to Posts or Pages plugin for WordPress is susceptible to Cross-Site Request Forgery, which can result in Stored Cross-Site Scripting. This vulnerability arises from the plugin's failure to implement nonce validation in its settings update handler. Without adequate nonce security, unauthenticated attackers can exploit this weakness by manipulating a logged-in Administrator into triggering a malicious action through a crafted request. The absence of input sanitization on user-supplied fields and the lack of output escaping when displaying stored data further amplifies the risk, permitting unauthorized script execution on affected sites.

Affected Version(s)

Inquiry form to posts or pages 0 <= 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/inquiry-form-t...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Muhammad Nur Ibnu Hubab

CVE-2026-6293 Data

JSON