CVE-2026-5169 in Inquiry form to posts or pages Plugininformação

Sumário

de MITRE • 08/04/2026

The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Form Header' field in versions up to and including 1.0. This is due to insufficient input sanitization when saving via update_option() and lack of output escaping when displaying the stored value. The vulnerability exists in two locations: (1) the plugin settings page at inq_form.php line 180 where the value is echoed into an HTML attribute without esc_attr(), and (2) the front-end shortcode output at inquery_form_to_posts_or_pages.php line 139 where the value is output in HTML content without esc_html(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that will execute whenever a user accesses the plugin settings page or views a page containing the [inquiry_form] shortcode.

Once again VulDB remains the best source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsável

Wordfence

Reservar

30/03/2026

Divulgação

08/04/2026

Moderação

aceite

Entrada

VDB-356022

CPE

pronto

CWE

CWE-79 (confirmado)

CVSS

4.4 (CNA)

EPSS

0.00014

KEV

não

Atividades

muito baixo

Sector

Hostingprovider

Fontes

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-5169
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-5169
CVE Details	https://www.cvedetails.com/cve/CVE-2026-5169/

◂ Voltar Visão Geral Próximo ▸

Interested in the pricing of exploits?

See the underground prices here!