Platform
wordpress
Component
inquiry-cart
Fixed in
3.4.3
3.4.3
A Cross-Site Request Forgery (XSRF) vulnerability exists within the Inquiry Cart plugin for WordPress, affecting versions up to 3.4.2. This flaw allows unauthenticated attackers to manipulate plugin settings by crafting malicious requests. Successful exploitation could lead to the injection of harmful scripts into the WordPress admin area, potentially compromising the entire site.
The primary impact of CVE-2026-4090 lies in the attacker's ability to modify the Inquiry Cart plugin's configuration. By crafting a forged request and tricking an administrator into clicking a malicious link, an attacker can inject arbitrary scripts. These scripts could then be stored and executed within the WordPress admin interface, granting the attacker persistent access and control. This could lead to defacement, data theft, or further compromise of the WordPress installation. The blast radius extends to any sensitive data accessible through the WordPress admin panel, and potentially to other connected systems if the WordPress site is part of a larger infrastructure.
CVE-2026-4090 was published on 2026-04-21. Its severity is currently assessed as Medium (CVSS 6.1). Public proof-of-concept (POC) code is not yet widely available, but the XSRF nature of the vulnerability makes it relatively straightforward to exploit. It is not currently listed on KEV or EPSS, indicating a low to medium probability of active exploitation. Monitor security advisories and WordPress vulnerability databases for updates.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2026-4090 is to upgrade the Inquiry Cart plugin to a version that addresses the XSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with XSRF protection rules to filter out malicious requests. Additionally, enforce strict access controls and regularly audit user permissions within the WordPress admin area. While a direct detection signature is not readily available, monitoring for unusual plugin setting changes in WordPress logs could provide an early warning sign. After upgrade, confirm by reviewing the plugin's changelog and verifying that nonce verification is properly implemented in the settings form submissions.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4090 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the Inquiry Cart WordPress plugin versions up to 3.4.2. It allows attackers to manipulate plugin settings via forged requests.
Yes, if you are using the Inquiry Cart plugin in WordPress and are running version 3.4.2 or earlier, you are vulnerable to this XSRF attack.
Upgrade the Inquiry Cart plugin to the latest version that addresses this vulnerability. If immediate upgrade is not possible, implement a WAF with XSRF protection.
While no widespread exploitation has been reported, the vulnerability's nature makes it easily exploitable, so active exploitation is possible.
Check the Inquiry Cart plugin's official website and WordPress plugin repository for the latest security updates and advisories related to CVE-2026-4090.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.