CVE-2026-8884
Description
The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A Contributor-level user can trigger execution against higher-privileged users by embedding the malicious shortcode in a post submitted for review, causing the injected scripts to execute when an administrator previews or views the post.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Instant-Quote.co Quotation Page WordPress plugin up to 1.3.4 suffers from stored XSS via shortcode attributes, allowing contributor-level attackers to inject scripts that execute in admin previews.
Vulnerability
The Instant-Quote.co Quotation Page plugin for WordPress, in all versions up to and including 1.3.4, is vulnerable to Stored Cross-Site Scripting (XSS) through shortcode attributes (such as hostid, filter1, filter2, or assettag). The vulnerability arises from insufficient input sanitization and output escaping of these attributes. The plugin registers the shortcode [iq_quotationpage] which accepts user-controlled parameters, and the values are not properly validated before being rendered in the page [1][2].
Exploitation
An attacker must be authenticated as a Contributor-level user or higher. The attacker crafts a WordPress post or page containing a malicious [iq_quotationpage] shortcode with attribute values that contain JavaScript payloads (e.g., hostid=""). This post can be submitted for review. When an Administrator (or any other user with preview/view capability) accesses the post—either via preview or by viewing the published page—the injected script executes in the context of that user's session. No additional user interaction beyond viewing the content is required [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary web scripts in the context of a higher-privileged user's browser. This can lead to session hijacking, defacement of the WordPress site, theft of administrative credentials, or installation of backdoors. Since the XSS is stored in the post, every visitor to the injected page is affected, but the most severe impact occurs when an administrator encounters the payload during content review [1][2].
Mitigation
A patched version fixing the input sanitization and output escaping has not been explicitly mentioned in the available references; however, users should update the plugin to version 1.3.5 or later as soon as it is released. As a general workaround, restrict contributor-level access and review all submitted posts for suspicious shortcode attributes before publication. The plugin does not appear on the CISA KEV list as of the publication date [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.3.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.