The plugin does not sanitise and escape the Quote and Author fields of its Quotes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
Add/edit a Quote and put the following payload in the "Quote" and "Author" fields: <img src onerror=alert(/XSS/)>
Vishal Mohan
Vishal Mohan
Yes
2021-09-27 (about 1 years ago)
2021-09-27 (about 1 years ago)
2022-04-14 (about 1 years ago)