6.1
CVE-2026-4090
- EPSS 0.24%
- Veröffentlicht 22.04.2026 07:45:37
- Zuletzt bearbeitet 22.04.2026 20:22:50
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
Inquiry cart <= 3.4.2 - Cross-Site Request Forgery via Settings Form
Inquiry cart <= 3.4.2 - Cross-Site Request Forgery via Settings Form
The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd_ic_settings_page function when processing settings form submissions. This makes it possible for unauthenticated attackers to update the plugin's settings, including injecting malicious scripts that will be stored and executed in the admin area, via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Mögliche Gegenmaßnahme
Inquiry cart: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerravster
≫
Produkt
Inquiry cart
Default Statusunaffected
Version <=
3.4.2
Version
0
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Inquiry cart
Version
*-3.4.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.151 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
https://www.wordfence.com/threat-intel/vulnerabilities/id/772e9b2b-b2d5-4950-804b-d0914004710c?source=cve
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L46
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L46
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L6
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L6
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L21
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L21
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L47
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L47
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L48
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L48
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L49
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L49
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/inquiry-cart-shortcode.php#L32
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/inquiry-cart-shortcode.php#L32
https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/inquiry-cart-shortcode.php#L34
https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/inquiry-cart-shortcode.php#L34
https://www.wordfence.com/threat-intel/vulnerabilities/id/772e9b2b-b2d5-4950-804b-d0914004710c