WordPress Inquiry Form to Posts or Pages Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WordPress Inquiry Form to Posts or Pages plugin, affecting versions through 1.0. The issue arises from inadequate input sanitization when saving data via the update_option() function, coupled with a lack of output escaping when displaying the stored values. This vulnerability is present in two areas: the plugin settings page, where the 'Form Header' field value is echoed into an HTML attribute without proper escaping, and the front-end output of the shortcode, where the value is displayed in HTML content without appropriate sanitization. As a result, authenticated attackers with administrator privileges can inject arbitrary scripts that execute when a user accesses the settings page or views a page with the [inquiry_form] shortcode.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page or settings.