CVE-2026-5169: WordPress Inquiry Form Plugin XSS Flaw

CVE-2026-5169 Overview

The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'Form Header' field in versions up to and including 1.0. This vulnerability arises from insufficient input sanitization when saving data via update_option() and lack of output escaping when displaying the stored value.

The vulnerability manifests in two distinct locations within the plugin's codebase: first, on the plugin settings page at inq_form.php line 180 where the value is echoed into an HTML attribute without proper esc_attr() escaping, and second, in the front-end shortcode output at inquery_form_to_posts_or_pages.php line 139 where the value is rendered in HTML content without esc_html() sanitization.

Critical Impact

Authenticated attackers with administrator-level access can inject arbitrary JavaScript that executes when any user accesses the plugin settings page or views a page containing the [inquiry_form] shortcode.

Affected Products

• Inquiry Form to Posts or Pages WordPress Plugin version 1.0 and earlier
• WordPress installations using the vulnerable plugin versions
• All pages containing the [inquiry_form] shortcode

Discovery Timeline

• April 8, 2026 - CVE-2026-5169 published to NVD
• April 8, 2026 - Last updated in NVD database

Technical Details for CVE-2026-5169

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability allows an authenticated attacker with administrator privileges to persistently inject malicious JavaScript code into the WordPress database through the plugin's Form Header configuration field. The injected scripts are then executed in the browsers of any users who view either the plugin's settings page in the WordPress admin panel or any front-end page that renders the [inquiry_form] shortcode.

While the requirement for administrator-level access might seem to limit the attack surface, this vulnerability poses significant risks in multi-administrator environments or scenarios where administrator accounts are compromised. The stored nature of the XSS means the payload persists and can affect multiple users over time without requiring further attacker interaction.

Root Cause

The root cause of this vulnerability is the failure to implement WordPress's built-in escaping functions for user-controlled data. Specifically, the plugin stores user input from the Form Header field using update_option() without sanitization and later outputs this data directly into HTML contexts without applying appropriate escaping functions like esc_attr() for HTML attributes or esc_html() for HTML content.

This represents a classic violation of the WordPress security principle: "Escape Late" - data should be escaped at the point of output using context-appropriate functions.

Attack Vector

The attack vector is network-based, requiring the attacker to have authenticated access with administrator privileges. The exploitation flow involves an authenticated administrator navigating to the plugin settings page, entering a malicious JavaScript payload into the Form Header field, and saving the configuration. Once stored, the malicious script executes automatically whenever a victim user loads either the plugin's admin settings page or any WordPress page that includes the [inquiry_form] shortcode.

Since the vulnerability affects both admin and front-end contexts, the impact can extend beyond the WordPress dashboard to affect regular site visitors who encounter pages using the inquiry form functionality.

Detection Methods for CVE-2026-5169

Indicators of Compromise

• Unusual JavaScript code present in the wp_options table entries related to the Inquiry Form plugin
• Suspicious HTML or script tags stored in Form Header configuration values
• Reports of unexpected behavior or pop-ups from users viewing pages with the inquiry form
• Browser console errors or security warnings when accessing plugin settings

Detection Strategies

• Audit the WordPress wp_options table for entries containing script tags or JavaScript event handlers in plugin-related options
• Implement Content Security Policy (CSP) headers to detect and block inline script execution
• Deploy web application firewall (WAF) rules to monitor for XSS payloads in POST requests to plugin settings endpoints
• Review WordPress admin activity logs for suspicious configuration changes to the Inquiry Form plugin

Monitoring Recommendations

• Enable WordPress debug logging to capture unexpected JavaScript execution events
• Monitor for changes to plugin configuration options through WordPress hooks or database triggers
• Implement real-time alerting for modifications to form-related settings by any administrator account
• Regularly scan stored content for XSS indicators using automated security scanning tools

How to Mitigate CVE-2026-5169

Immediate Actions Required

• Review and audit current Form Header field values in the plugin settings for any malicious content
• Restrict plugin installation and configuration to only trusted administrator accounts
• Consider temporarily disabling the Inquiry Form to Posts or Pages plugin until a patched version is available
• Implement Content Security Policy headers to mitigate the impact of potential XSS attacks

Patch Information

At the time of publication, no official patch has been confirmed for this vulnerability. Site administrators should monitor the WordPress Plugin Directory and the Wordfence Vulnerability Report for updates regarding security fixes. The vulnerable code locations are documented at inq_form.php line 180 and inquery_form_to_posts_or_pages.php line 139.

Workarounds

• Limit administrator access to only essential personnel until the vulnerability is patched
• Manually sanitize any stored Form Header values by removing script tags and event handlers
• Implement a WordPress filter hook to escape output from the plugin's Form Header field before rendering
• Deploy a Web Application Firewall (WAF) with rules to filter XSS payloads in plugin configuration requests

# Example: WordPress filter to escape Form Header output
# Add to theme's functions.php or custom plugin

# Review wp_options for suspicious content related to the plugin
wp db query "SELECT option_name, option_value FROM wp_options WHERE option_name LIKE '%inquiry%' AND (option_value LIKE '%<script%' OR option_value LIKE '%onerror%' OR option_value LIKE '%onclick%');"

# Backup and remove potentially malicious values if found
wp option update inquiry_form_header "$(wp option get inquiry_form_header | sed 's/<script[^>]*>.*<\/script>//gi')"