FS Product Inquiry <= 1.1.1 - Unauthenticated Stored XSS
Description
Unauthenticated Stored XSS in FS Product Inquiry WordPress plugin <= 1.1.1 due to unsanitized form submissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated Stored XSS in FS Product Inquiry WordPress plugin <= 1.1.1 due to unsanitized form submissions.
Vulnerability
The FS Product Inquiry WordPress plugin through version 1.1.1 fails to sanitize and escape user-supplied data in its form submissions. This allows unauthenticated attackers to inject arbitrary JavaScript code that gets stored and executed in the context of the admin or other users viewing the submissions. [1]
Exploitation
An attacker can submit a form with malicious payloads, such as ``, without any authentication. The payload is stored and executed when the administrator or another user views the form submissions in the WordPress admin panel. [1]
Impact
Successful exploitation leads to Stored Cross-Site Scripting (XSS), enabling the attacker to execute arbitrary scripts in the browser of any user who views the affected submissions. This can result in session hijacking, defacement, or theft of sensitive information. The CVSS score is 8.8 (high). [1]
Mitigation
No fix is currently available. The plugin has no known update addressing the issue. It is recommended to disable or remove the plugin until a patched version is released. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- WordPress/FS Product Inquirydescription
- Range: <=1.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and output escaping on form submissions allows stored cross-site scripting."
Attack vector
An unauthenticated attacker submits a crafted payload through the plugin's form fields. Because the plugin does not sanitize or escape the submitted data [ref_id=1], the malicious script is stored on the server and executed in the browsers of any users who view the affected page. This is a Stored Cross-Site Scripting (XSS) attack [CWE-79] requiring no authentication or special privileges [ref_id=1].
Affected code
The advisory does not specify exact files or functions. The vulnerability exists in the FS Product Inquiry WordPress plugin through version 1.1.1, in form submission handling that lacks sanitization and escaping [ref_id=1].
What the fix does
No patch or fix has been published by the vendor as of the advisory's last update [ref_id=1]. The remediation would require the plugin to properly sanitize and escape all user-supplied input before storing or displaying it, preventing arbitrary HTML and JavaScript from being injected into the page output [ref_id=1].
Preconditions
- networkThe attacker must be able to access the plugin's form submission endpoint over the network.
- authNo authentication or prior access is required; the attack is unauthenticated.
- configThe plugin must be installed and active with a version <= 1.1.1.
Reproduction
The advisory does not include explicit reproduction steps beyond stating that the plugin fails to sanitize and escape form submissions [ref_id=1]. No public PoC with step-by-step instructions is provided in the bundle.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/bf1b8434-b361-4666-9058-d9f08c09d083/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.