CVE-2026-5169

Name of the Vulnerable Software and Affected Versions The Inquiry Form to Posts or Pages plugin for WordPress versions up to and including 1.0.

Description The Inquiry Form to Posts or Pages plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'Form Header' field. This occurs because of inadequate input sanitization during saving using update option() and a lack of output escaping when displaying the stored value. The issue manifests in two places: (1) the plugin settings page at inq form.php line 180, where the value is echoed into an HTML attribute without esc attr(), and (2) the front-end shortcode output at inquery form to posts or pages.php line 139, where the value is output in HTML content without esc html(). This allows authenticated attackers with administrator-level access to inject arbitrary web scripts that execute when a user accesses the plugin settings page or views a page containing the [inquiry form] shortcode.

Recommendations For versions up to and including 1.0, ensure proper input sanitization and output escaping are implemented for the 'Form Header' field. Specifically, use esc attr() when echoing the value into HTML attributes and esc html() when outputting the value in HTML content.