3.4.3
3.4.3
A Cross-Site Request Forgery (XSRF) vulnerability exists within the Inquiry Cart plugin for WordPress, affecting versions up to 3.4.2. This flaw allows unauthenticated attackers to manipulate plugin settings by crafting malicious requests. Successful exploitation could lead to the injection of harmful scripts into the WordPress admin area, potentially compromising the entire site.
The primary impact of CVE-2026-4090 lies in the attacker's ability to modify the Inquiry Cart plugin's configuration. By crafting a forged request and tricking an administrator into clicking a malicious link, an attacker can inject arbitrary scripts. These scripts could then be stored and executed within the WordPress admin interface, granting the attacker persistent access and control. This could lead to defacement, data theft, or further compromise of the WordPress installation. The blast radius extends to any sensitive data accessible through the WordPress admin panel, and potentially to other connected systems if the WordPress site is part of a larger infrastructure.
CVE-2026-4090 was published on 2026-04-21. Its severity is currently assessed as Medium (CVSS 6.1). Public proof-of-concept (POC) code is not yet widely available, but the XSRF nature of the vulnerability makes it relatively straightforward to exploit. It is not currently listed on KEV or EPSS, indicating a low to medium probability of active exploitation. Monitor security advisories and WordPress vulnerability databases for updates.
漏洞利用状态
EPSS
0.01% (3% 百分位)
CISA SSVC
CVSS 向量
The immediate mitigation for CVE-2026-4090 is to upgrade the Inquiry Cart plugin to a version that addresses the XSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with XSRF protection rules to filter out malicious requests. Additionally, enforce strict access controls and regularly audit user permissions within the WordPress admin area. While a direct detection signature is not readily available, monitoring for unusual plugin setting changes in WordPress logs could provide an early warning sign. After upgrade, confirm by reviewing the plugin's changelog and verifying that nonce verification is properly implemented in the settings form submissions.
没有已知的补丁。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-4090 is a Cross-Site Request Forgery (XSRF) vulnerability affecting the Inquiry Cart WordPress plugin versions up to 3.4.2. It allows attackers to manipulate plugin settings via forged requests.
Yes, if you are using the Inquiry Cart plugin in WordPress and are running version 3.4.2 or earlier, you are vulnerable to this XSRF attack.
Upgrade the Inquiry Cart plugin to the latest version that addresses this vulnerability. If immediate upgrade is not possible, implement a WAF with XSRF protection.
While no widespread exploitation has been reported, the vulnerability's nature makes it easily exploitable, so active exploitation is possible.
Check the Inquiry Cart plugin's official website and WordPress plugin repository for the latest security updates and advisories related to CVE-2026-4090.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。