Plataforma
wordpress
Componente
inquiry-cart
Corrigido em
3.4.3
3.4.3
A Cross-Site Request Forgery (XSRF) vulnerability exists within the Inquiry Cart plugin for WordPress, affecting versions up to 3.4.2. This flaw allows unauthenticated attackers to manipulate plugin settings by crafting malicious requests. Successful exploitation could lead to the injection of harmful scripts into the WordPress admin area, potentially compromising the entire site.
The primary impact of CVE-2026-4090 lies in the attacker's ability to modify the Inquiry Cart plugin's configuration. By crafting a forged request and tricking an administrator into clicking a malicious link, an attacker can inject arbitrary scripts. These scripts could then be stored and executed within the WordPress admin interface, granting the attacker persistent access and control. This could lead to defacement, data theft, or further compromise of the WordPress installation. The blast radius extends to any sensitive data accessible through the WordPress admin panel, and potentially to other connected systems if the WordPress site is part of a larger infrastructure.
CVE-2026-4090 was published on 2026-04-21. Its severity is currently assessed as Medium (CVSS 6.1). Public proof-of-concept (POC) code is not yet widely available, but the XSRF nature of the vulnerability makes it relatively straightforward to exploit. It is not currently listed on KEV or EPSS, indicating a low to medium probability of active exploitation. Monitor security advisories and WordPress vulnerability databases for updates.
Status do Exploit
EPSS
0.01% (percentil 3%)
CISA SSVC
Vetor CVSS
The immediate mitigation for CVE-2026-4090 is to upgrade the Inquiry Cart plugin to a version that addresses the XSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with XSRF protection rules to filter out malicious requests. Additionally, enforce strict access controls and regularly audit user permissions within the WordPress admin area. While a direct detection signature is not readily available, monitoring for unusual plugin setting changes in WordPress logs could provide an early warning sign. After upgrade, confirm by reviewing the plugin's changelog and verifying that nonce verification is properly implemented in the settings form submissions.
Nenhum patch conhecido disponível. Por favor, revise os detalhes da vulnerabilidade em profundidade e empregue mitigações com base na tolerância ao risco da sua organização. Pode ser melhor desinstalar o software afetado e encontrar um substituto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-4090 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the Inquiry Cart WordPress plugin versions up to 3.4.2. It allows attackers to manipulate plugin settings via forged requests.
Yes, if you are using the Inquiry Cart plugin in WordPress and are running version 3.4.2 or earlier, you are vulnerable to this XSRF attack.
Upgrade the Inquiry Cart plugin to the latest version that addresses this vulnerability. If immediate upgrade is not possible, implement a WAF with XSRF protection.
While no widespread exploitation has been reported, the vulnerability's nature makes it easily exploitable, so active exploitation is possible.
Check the Inquiry Cart plugin's official website and WordPress plugin repository for the latest security updates and advisories related to CVE-2026-4090.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.