CVE-2026-4090
CSRF in Inquiry Cart Plugin Allows Admin Settings Manipulation
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inquiry_cart | inquiry_cart | to 3.4.2 (inc) |
| inquiry_cart | plugin | to 3.4.2 (inc) |
| wordfence | inquiry_cart | to 3.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Inquiry Cart plugin for WordPress has a vulnerability known as Cross-Site Request Forgery (CSRF) in all versions up to and including 3.4.2. This happens because the plugin's function that processes settings form submissions (rd_ic_settings_page) does not verify a security token called a nonce. As a result, an attacker can trick an administrator into performing actions like clicking a malicious link, which then allows the attacker to update the plugin's settings without authentication.
This vulnerability can also enable the attacker to inject malicious scripts that will be stored and executed in the WordPress admin area.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthenticated attackers to change the plugin's settings through forged requests if they can trick an administrator into clicking a malicious link.
Such unauthorized changes can include injecting malicious scripts that will be stored and executed in the admin area, potentially leading to further compromise of the WordPress site.
The CVSS score of 6.1 indicates a medium severity, with the potential for partial confidentiality and integrity loss, but no impact on availability.