CVE-2026-4090
Inquiry cart <= 3.4.2 - Cross-Site Request Forgery via Settings Form
CVSS Score
6.1
EPSS Score
0.0%
EPSS Percentile
0th
The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd_ic_settings_page function when processing settings form submissions. This makes it possible for unauthenticated attackers to update the plugin's settings, including injecting malicious scripts that will be stored and executed in the admin area, via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
| CWE | CWE-352 |
| Vendor | ravster |
| Product | inquiry cart |
| Published | Apr 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for ravster inquiry cart
Be the first to know when new medium vulnerabilities affecting ravster inquiry cart are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
ravster / Inquiry cart
0 โค 3.4.2
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/772e9b2b-b2d5-4950-804b-d0914004710c?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L46 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L46 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L6 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L6 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L21 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L21 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L47 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L47 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L48 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L48 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L49 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L49 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/inquiry-cart-shortcode.php#L32 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/inquiry-cart-shortcode.php#L32 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/inquiry-cart-shortcode.php#L34 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/inquiry-cart-shortcode.php#L34
Credits
Muhammad Nur Ibnu Hubab