{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5169", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-30T15:11:06.066Z", "datePublished": "2026-04-08T06:43:39.394Z", "dateUpdated": "2026-04-13T15:15:10.337Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:06.343Z"}, "affected": [{"vendor": "udamadu", "product": "Inquiry form to posts or pages", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Form Header' field in versions up to and including 1.0. This is due to insufficient input sanitization when saving via update_option() and lack of output escaping when displaying the stored value. The vulnerability exists in two locations: (1) the plugin settings page at inq_form.php line 180 where the value is echoed into an HTML attribute without esc_attr(), and (2) the front-end shortcode output at inquery_form_to_posts_or_pages.php line 139 where the value is output in HTML content without esc_html(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that will execute whenever a user accesses the plugin settings page or views a page containing the [inquiry_form] shortcode."}], "title": "Inquiry form to posts or pages <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Form Header Field", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/743788ed-bd40-4eb4-a27e-d4eb89df3a41?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inquery_form_to_posts_or_pages.php#L139"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inquery_form_to_posts_or_pages.php#L139"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L63"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L63"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-04-07T17:36:43.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5169", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:06:54.455385Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:15:10.337Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5169", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:06:54.455385Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:12:08.515Z"}}], "cna": {"title": "Inquiry form to posts or pages <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Form Header Field", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "udamadu", "product": "Inquiry form to posts or pages", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-07T17:36:43.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/743788ed-bd40-4eb4-a27e-d4eb89df3a41?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L180"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inquery_form_to_posts_or_pages.php#L139"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inquery_form_to_posts_or_pages.php#L139"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L63"}, {"url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L63"}], "descriptions": [{"lang": "en", "value": "The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Form Header' field in versions up to and including 1.0. This is due to insufficient input sanitization when saving via update_option() and lack of output escaping when displaying the stored value. The vulnerability exists in two locations: (1) the plugin settings page at inq_form.php line 180 where the value is echoed into an HTML attribute without esc_attr(), and (2) the front-end shortcode output at inquery_form_to_posts_or_pages.php line 139 where the value is output in HTML content without esc_html(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that will execute whenever a user accesses the plugin settings page or views a page containing the [inquiry_form] shortcode."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:06.343Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5169", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:15:10.337Z", "dateReserved": "2026-03-30T15:11:06.066Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T06:43:39.394Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Form Header' field in versions up to and including 1.0. This is due to insufficient input sanitization when saving via update_option() and lack of output escaping when displaying the stored value. The vulnerability exists in two locations: (1) the plugin settings page at inq_form.php line 180 where the value is echoed into an HTML attribute without esc_attr(), and (2) the front-end shortcode output at inquery_form_to_posts_or_pages.php line 139 where the value is output in HTML content without esc_html(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that will execute whenever a user accesses the plugin settings page or views a page containing the [inquiry_form] shortcode."}], "id": "CVE-2026-5169", "lastModified": "2026-04-24T18:15:28.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T07:16:23.030", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L180"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inq_form.php#L63"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/tags/1.0/inquery_form_to_posts_or_pages.php#L139"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L180"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inq_form.php#L63"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/inquiry-form-to-posts-or-pages/trunk/inquery_form_to_posts_or_pages.php#L139"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/743788ed-bd40-4eb4-a27e-d4eb89df3a41?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Inquiry form to posts or pages", "source": "cna", "vendor": "udamadu"}, "product": "inquiry_form_to_posts_or_pages", "vendor": "udamadu"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T08:52:44.258572+00:00", "value": {"mitigation_remediation": ["Apply the latest release of the Inquiry Form to Posts or Pages plugin (any version newer than 1.0)", "If an update is not yet available, remove the stored header value or replace it with a benign string via the plugin settings or by editing the wp_options table directly", "Restrict administrative privileges to trusted users; enforce strong, unique passwords and consider two\u2011factor authentication", "Monitor site logs and user activity for unexpected changes to plugin settings or the injection of new scripts"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that can run malicious scripts on the plugin settings page and on pages rendering the form shortcode"}, "threat_synthesis": {"affected_systems": "Any WordPress site using the Inquiry Form to Posts or Pages plugin version 1.0 or older is affected regardless of the WordPress core version. Administrators with control over the plugin settings can introduce the flaw.", "description_and_impact": "The vulnerability resides in the \"Form Header\" field of the WordPress Inquiry Form to Posts or Pages plugin version 1.0 and earlier. Insufficient sanitization when saving the field and insufficient escaping when rendering it allows an authenticated administrator to inject arbitrary JavaScript. The stored script will run whenever an administrator visits the plugin\u2019s settings page or when any visitor loads a page containing the [inquiry_form] shortcode, potentially enabling session hijacking, defacement, or malicious redirection.", "risk_and_exploitability": "With a CVSS score of 4.4 this is a moderate\u2011severity issue that requires authenticated administrator access. No EPSS data is available and the flaw is not listed in the CISA KEV catalog, indicating no confirmed exploitation. The attack path involves logging into the WordPress admin area, entering malicious payloads into the \"Form Header\" field, and then having the script execute on future page renders for all site visitors."}}}}, "created": "2026-04-08T19:31:11.009801+00:00", "updated": "2026-04-08T19:43:44.510165+00:00", "vendors": ["udamadu", "udamadu$PRODUCT$inquiry_form_to_posts_or_pages", "wordpress", "wordpress$PRODUCT$wordpress"]}