CVE-2024-11034

Vulnerability

Overview The The Request a Quote for WooCommerce and Elementor – Get a Quote Button – Product Enquiry Form Popup – Product Quotation plugin for WordPress (all versions up to and including 1.4) suffers from an arbitrary shortcode execution vulnerability. The root cause lies in the fire_contact_form AJAX action, which calls do_shortcode on user-supplied input without proper validation or sanitization. This insufficient authorization check allows the action to be triggered by unauthenticated users [1].

Exploitation

An unauthenticated attacker can exploit this by sending a crafted AJAX request to the WordPress installation containing a shortcode payload in the vulnerable parameter. Since the plugin does not restrict the do_shortcode call, any WordPress shortcode—including those from other plugins or WordPress core that can execute code or read files—can be abused. No authentication or special privileges are required, making the attack surface wide for sites running the plugin [1].

Impact

Successful exploitation enables an attacker to execute arbitrary shortcodes with the permissions of the web server. This can lead to a variety of outcomes such as data exfiltration (if a shortcode like [file] or a file-reading shortcode exists), unauthorized administrative actions (via shortcodes that create users or modify options), or site defacement. The exact impact depends on which shortcodes are available on the target WordPress installation [1].

Mitigation

The vendor has not released a patched version at the time of writing; users of versions ≤1.4 are advised to disable or remove the plugin until a security update is provided. No workaround short of deactivating the vulnerable AJAX action is currently available [1].