CVE-2026-4090: Inquiry Cart WordPress Plugin CSRF Flaw

CVE-2026-4090 Overview

The Inquiry Cart plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to, and including, 3.4.2. The vulnerability exists due to missing nonce verification in the rd_ic_settings_page function when processing settings form submissions. This allows unauthenticated attackers to update the plugin's settings, including injecting malicious scripts that will be stored and executed in the admin area, via a forged request if they can trick an administrator into performing an action such as clicking on a link.

Critical Impact

Attackers can modify plugin settings and inject stored XSS payloads targeting WordPress administrators, potentially leading to account takeover or further site compromise.

Affected Products

• WordPress Inquiry Cart plugin versions up to and including 3.4.2

Discovery Timeline

• April 22, 2026 - CVE-2026-4090 published to NVD
• April 22, 2026 - Last updated in NVD database

Technical Details for CVE-2026-4090

Vulnerability Analysis

This vulnerability combines Cross-Site Request Forgery (CSRF) with Stored Cross-Site Scripting (XSS), creating a chained attack scenario that significantly amplifies the security impact. The rd_ic_settings_page function in the Inquiry Cart plugin fails to implement proper nonce verification when handling settings form submissions. Without this critical security check, the application cannot distinguish between legitimate administrator requests and forged requests crafted by an attacker.

The absence of nonce verification allows attackers to craft malicious web pages that automatically submit settings changes when visited by an authenticated administrator. Because the settings fields also lack proper output sanitization, attackers can inject JavaScript payloads that persist in the database and execute whenever an administrator accesses the plugin's admin area.

Root Cause

The root cause of this vulnerability is the missing implementation of WordPress nonce verification functions (such as wp_verify_nonce() or check_admin_referer()) within the rd_ic_settings_page function. WordPress provides built-in CSRF protection mechanisms through nonces, but developers must explicitly implement these checks. The vulnerable code path in the settings-page.php file processes form submissions without validating that the request originated from a legitimate admin session with a valid nonce token.

Attack Vector

The attack requires social engineering to succeed. An attacker must craft a malicious HTML page containing a hidden form that targets the plugin's settings endpoint. When an authenticated WordPress administrator visits this page, the form automatically submits, changing plugin settings without the admin's knowledge or consent. The network-based attack vector requires user interaction, as the administrator must be tricked into visiting the attacker-controlled page while logged into WordPress.

The attacker's malicious form submission can include JavaScript payloads in settings fields. These scripts are then stored in the WordPress database and rendered without proper escaping when administrators view the plugin's settings page, resulting in Stored XSS execution within the administrative context.

Detection Methods for CVE-2026-4090

Indicators of Compromise

• Unexpected modifications to Inquiry Cart plugin settings without administrator action
• JavaScript code or HTML tags appearing in plugin configuration fields
• Browser developer tools showing script execution from plugin settings pages
• WordPress admin users reporting unusual behavior or redirects when accessing plugin areas

Detection Strategies

• Review WordPress database entries related to Inquiry Cart settings for suspicious JavaScript or HTML content
• Monitor HTTP POST requests to the plugin's settings endpoint for requests missing valid nonce parameters
• Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
• Enable WordPress debug logging to capture unexpected settings changes

Monitoring Recommendations

• Configure web application firewall (WAF) rules to inspect POST requests targeting WordPress plugin settings endpoints
• Set up file integrity monitoring for the wp-content/plugins/inquiry-cart/ directory
• Monitor admin user session activity for requests to plugin settings without corresponding admin interface access
• Review server access logs for referrers from external domains on settings submission requests

How to Mitigate CVE-2026-4090

Immediate Actions Required

• Update the Inquiry Cart plugin to a patched version as soon as one becomes available from the vendor
• Review current Inquiry Cart settings for any injected malicious content and sanitize if found
• Temporarily deactivate the plugin if it is not critical to site functionality
• Educate administrators about the risk of clicking links from untrusted sources while logged into WordPress

Patch Information

No official patch information is available at this time. Monitor the WordPress Plugin Repository and the Wordfence Vulnerability Report for updates on patched versions.

Workarounds

• Implement a Web Application Firewall (WAF) rule to require valid nonce tokens on requests to the plugin's settings endpoint
• Restrict access to the WordPress admin area by IP address if feasible for your environment
• Use browser extensions or policies that prevent automatic form submission from untrusted domains
• Consider using a plugin security scanner to monitor for suspicious changes to plugin configurations

# Example: Restrict WordPress admin access by IP in .htaccess
<Files wp-login.php>
    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.100
    Allow from 10.0.0.0/24
</Files>