CVE-2024-5155 in Inquiry Cart Plugin
Summary
by MITRE • 06/14/2024
The Inquiry cart WordPress plugin through 3.4.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/06/2025
The vulnerability identified as CVE-2024-5155 affects the Inquiry cart WordPress plugin version 3.4.2 and earlier, presenting a critical security risk that combines multiple dangerous flaws in a single attack vector. This vulnerability resides in the plugin's administrative interface where it fails to implement proper Cross-Site Request Forgery protection mechanisms while simultaneously lacking adequate input sanitization and output escaping measures. The combination of these weaknesses creates an environment where authenticated attackers can exploit the system through a carefully crafted CSRF attack to inject malicious JavaScript code into the plugin's administrative areas.
The technical flaw manifests in the plugin's failure to validate CSRF tokens during critical administrative operations within the Inquiry cart plugin. This absence of CSRF protection allows attackers to trick authenticated administrators into executing unintended actions without their knowledge or consent. The vulnerability specifically impacts areas where the plugin processes user input or displays data, as it does not properly sanitize or escape data before rendering it in the browser. This creates a perfect storm where malicious payloads can be stored in the system and executed whenever administrators access affected pages, making it a classic stored cross-site scripting vulnerability that leverages CSRF as its initial exploitation vector.
The operational impact of this vulnerability is severe as it provides attackers with a pathway to execute arbitrary JavaScript code within the context of an administrator's browser session. This enables attackers to perform actions such as modifying plugin settings, accessing sensitive data, stealing session cookies, or even taking full control of the WordPress installation. The vulnerability affects all administrators who have access to the Inquiry cart plugin interface, making it particularly dangerous in environments where multiple administrators exist or where administrators perform routine administrative tasks. The stored nature of the XSS payload means that the malicious code persists in the system and executes every time an administrator views the affected pages, creating a persistent backdoor for attackers.
Mitigation strategies for CVE-2024-5155 should begin with immediate plugin updates to version 3.4.3 or later where the CSRF protections have been implemented and sanitization measures have been enhanced. Organizations should also implement additional security measures such as role-based access controls to limit administrative privileges, regular security audits of installed plugins, and monitoring for unusual administrative activities. The vulnerability aligns with CWE-352 which specifically addresses Cross-Site Request Forgery weaknesses, and also relates to CWE-79 which covers Cross-Site Scripting vulnerabilities. From an ATT&CK framework perspective, this vulnerability maps to T1566.001 (Phishing: Spearphishing Attachment) and T1059.007 (Command and Scripting Interpreter: JavaScript) as it enables attackers to deliver malicious payloads through phishing campaigns and execute JavaScript code within the target environment. Organizations should also consider implementing Content Security Policy headers and regular security scanning to detect similar vulnerabilities in other plugins or themes that may exhibit similar patterns of insufficient input validation and output escaping.