Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frank Corso Quote Master quote-master allows Reflected XSS.This issue affects Quote Master: from n/a through <= 7.1.1.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Quote Master plugin for WordPress fails to neutralize user‑supplied data before rendering a page, allowing an attacker to embed malicious script code that will execute in the victim’s browser. This reflected cross‑site scripting flaw can lead to cookie theft, session hijacking, page defacement, or injection of additional malicious payloads, and is identified as a CWE‑79 weakness. The vulnerability exists in the plugin’s rendering path and requires no authentication; any user who loads a vulnerable page can be impacted.

Affected Systems

The flaw affects the Frank Corso Quote Master WordPress plugin. All released versions from the initial deployment up through version 7.1.1 are vulnerable. Site owners using any of those versions should consider the plugin out of date and at risk until updated.

Risk and Exploitability

The CVSS score of 7.1 denotes a high severity reflected XSS. The EPSS score of <1 % indicates a low probability of exploitation in the near future, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves an attacker creating a malicious URL that embeds forged script code and then encouraging or tricking a user to visit it. Because the flaw is reflected, the malicious code is echoed back in the HTTP response and executed by the victim’s browser, making it a straightforward, client‑side attack that does not require authentication.

Generated by OpenCVE AI on April 29, 2026 at 10:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quote Master to the latest stable release that incorporates the XSS fix (any version newer than 7.1.1).
  • If an upgrade is not immediately possible, consider deactivating or uninstalling the Quote Master plugin to eliminate the vulnerable code path.
  • Implement a strict Content Security Policy for the website, restricting script sources to trusted origins to mitigate the impact if an XSS payload is delivered.

Generated by OpenCVE AI on April 29, 2026 at 10:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frank Corso Quote Master quote-master allows Reflected XSS.This issue affects Quote Master: from n/a through <= 7.1.1.
Title WordPress Quote Master plugin <= 7.1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:03:53.880Z

Reserved: 2025-12-24T14:00:10.433Z

Link: CVE-2025-68849

cve-icon Vulnrichment

Updated: 2026-01-28T21:21:43.550Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:11.520

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68849

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:00:10Z

Weaknesses