WP Inquiries Security & Risk Analysis

wordpress.org/plugins/wp-inquiries

A simple contact form plugin that record inquiries.

10 active installs v0.2.1 PHP + WP 5.1+ Updated Dec 24, 2020
contact-formcontact-usenquiryinquirymessage
64
C · Use Caution
CVEs total1
Unpatched1
Last CVEApr 9, 2025
Safety Verdict

Is WP Inquiries Safe to Use in 2026?

Use With Caution

Score 64/100

WP Inquiries has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Apr 9, 2025Updated 5yr ago
Risk Assessment

The wp-inquiries plugin version 0.2.1 demonstrates a mixed security posture. On the positive side, it exhibits strong adherence to secure coding practices, with all identified SQL queries utilizing prepared statements and all output being properly escaped. The plugin also correctly implements nonce and capability checks for its AJAX handlers, and it has a small attack surface with no directly unprotected entry points. File operations and external HTTP requests are also absent, further reducing potential risks.

However, there are notable concerns. The taint analysis revealed one flow with an unsanitized path, which is flagged as high severity. This suggests a potential vulnerability where user-supplied input might be used in a way that could lead to unintended consequences or exploits. Furthermore, the plugin has a history of known vulnerabilities, including one medium severity SQL injection vulnerability that is currently unpatched. This ongoing unpatched vulnerability, combined with the high severity taint flow, indicates a need for immediate attention.

In conclusion, while wp-inquiries v0.2.1 has implemented several good security practices, the presence of a high-severity taint flow and an unpatched medium-severity SQL injection vulnerability present significant risks. The plugin's history of vulnerabilities, particularly SQL injection, combined with the current unpatched state, suggests a pattern that requires vigilance and prompt remediation. Users should prioritize updating to a patched version or be aware of the risks associated with the current version.

Key Concerns

  • Unpatched CVE (Medium SQLi)
  • High severity taint flow (unsanitized path)
Vulnerabilities
1 published

WP Inquiries Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-32685medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Inquiries <= 0.2.1 - Authenticated (Administrator+) SQL Injection

Apr 9, 2025Unpatched
Version History

WP Inquiries Release Timeline

v0.2.1Current1 CVE
v0.21 CVE
v0.11 CVE
Code Analysis
Analyzed Apr 16, 2026

WP Inquiries Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
3 prepared
Unescaped Output
0
13 escaped
Nonce Checks
3
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared3 total queries

Output Escaping

100% escaped13 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

4 flows1 with unsanitized paths
<inquiries-list-table> (classes/inquiries-list-table.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Inquiries Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 2

authwp_ajax_inquiries_ajax_actionincludes/ajax.php:85
noprivwp_ajax_inquiries_ajax_actionincludes/ajax.php:86

Shortcodes 1

[wp-inquiries] includes/shortcodes.php:16
WordPress Hooks 5
actionplugins_loadedincludes/database.php:40
actionadmin_menuincludes/settings.php:48
filterset-screen-optionincludes/settings.php:54
actionrest_api_initincludes/settings.php:56
actionwp_enqueue_scriptsincludes/shortcodes.php:27
Maintenance & Trust

WP Inquiries Maintenance & Trust

Maintenance Signals

WordPress version tested5.6.17
Last updatedDec 24, 2020
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

WP Inquiries Developer Profile

Aristo Rinjuang

1 plugin · 10 total installs

69
trust score
Avg Security Score
64/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP Inquiries

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-inquiries/css/wp-inquiries.css/wp-content/plugins/wp-inquiries/js/wp-inquiries.js
Script Paths
/wp-content/plugins/wp-inquiries/js/wp-inquiries.js
Version Parameters
wp-inquiries/css/wp-inquiries.css?ver=wp-inquiries/js/wp-inquiries.js?ver=

HTML / DOM Fingerprints

CSS Classes
inquiries-form
Data Attributes
data-sending
JS Globals
inquiries_ajax_object
REST Endpoints
/wp-inquiries/v0/inquiries/wp-inquiries/v0/inquiry/(?P<id>[\d]+)
Shortcode Output
<form method="post" class="inquiries-form"><input type="text" name="inquiry_name"<input type="email" name="inquiry_email"<textarea name="inquiry_message"
FAQ

Frequently Asked Questions about WP Inquiries