WordPress Plugin Vulnerabilities

Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress < 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'quillforms-popup' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
quillforms
Fixed in 4.0.0

References

CVE
CVE-2024-11826
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d59a4d69-cf51-44c1-90bf-19be04774c27

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
theviper17y
Verified
No
WPVDB ID
41d05d30-952f-468e-b396-ce450233ec04

Timeline

Publicly Published
2025-01-06 (about 1 year ago)
Added
2025-01-06 (about 1 year ago)
Last Updated
2025-01-07 (about 1 year ago)

Other

Published
Title
Published
2026-06-04
Title
FV Flowplayer Video Player < 7.5.51.7212 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2023-10-18
Title
Smart Cookie Kit < 2.3.2 - Contributor+ Stored XSS
Published
2025-01-27
Title
Wise Forms <= 1.2.0 - Unauthenticated Stored XSS
Published
2023-01-03
Title
Accordion Shortcodes <= 2.4.2 - Contributor+ Stored XSS via Shortcode
Published
2025-06-19
Title
Automatically Hierarchic Categories in Menu < 2.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting