CVE-2026-6293

Name of the Vulnerable Software and Affected Versions Inquiry Form to Posts or Pages version 1.0

Description The plugin is subject to Cross-Site Request Forgery (CSRF) which can lead to Stored Cross-Site Scripting (XSS). This occurs because the plugin settings update handler lacks nonce validation, fails to sanitize user-supplied fields, and does not escape output when rendering stored values. Specifically, the settings handler triggers based on the presence of the variable $ POST['inq hidden'] being set to 'Y' without utilizing check admin referer() or any WordPress nonce. This allows unauthenticated attackers to inject arbitrary web scripts by tricking a logged-in Administrator into visiting a malicious page.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.