Description
The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A Contributor-level user can trigger execution against higher-privileged users by embedding the malicious shortcode in a post submitted for review, causing the injected scripts to execute when an administrator previews or views the post.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Instant‑Quote.co Quotation Page plugin for WordPress is vulnerable to stored cross‑site scripting via shortcode attributes in versions up to 1.3.4. Insufficient input sanitization and output escaping allow an authenticated contributor or higher to embed arbitrary JavaScript that will run whenever a user views a page containing the vulnerable shortcode. The description does not mention any other capabilities such as remote code execution or information disclosure.

Affected Systems

All installations of the Instant‑Quote.co Quotation Page WordPress plugin with versions 1.3.4 or earlier are affected. WordPress sites that permit contributors to use shortcodes are at risk. No additional platform or system requirements are noted.

Risk and Exploitability

The CVSS score of 6.4 indicates medium‑to‑high severity. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could embed a malicious shortcode into a post, have the post reviewed or previewed by a higher‑privileged user, and when that user views the post the injected script would execute. The required access level is contributor or higher, which is relatively easy to obtain in many compromised websites. Thus, while the flaw does not allow arbitrary code execution on the server, its impact on the confidentiality and integrity of users who view the affected content warrants prompt remediation.

Generated by OpenCVE AI on May 27, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Instant‑Quote.co Quotation Page plugin to any release newer than 1.3.4.
  • If an update cannot be applied immediately, limit contributor or lower roles from creating or editing shortcode attributes that accept user‑supplied data.
  • Consider removing or disabling the shortcode from public posts until a patch is applied, or implement a WordPress filter that escapes all shortcode attributes globally to prevent script injection.

Generated by OpenCVE AI on May 27, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Neilmccutcheon
Neilmccutcheon instant-quote.co Quotation Page
Wordpress
Wordpress wordpress
Vendors & Products Neilmccutcheon
Neilmccutcheon instant-quote.co Quotation Page
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A Contributor-level user can trigger execution against higher-privileged users by embedding the malicious shortcode in a post submitted for review, causing the injected scripts to execute when an administrator previews or views the post.
Title Instant-Quote.co Quotation Page <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Neilmccutcheon Instant-quote.co Quotation Page
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:30:49.935Z

Reserved: 2026-05-18T20:34:29.934Z

Link: CVE-2026-8884

cve-icon Vulnrichment

Updated: 2026-05-27T10:30:45.468Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:17.250

Modified: 2026-05-27T07:16:17.250

Link: CVE-2026-8884

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:06:44Z

Weaknesses