Request a Quote < 2.3.4 – Authenticated Stored XSS | CVE 2021-24420 | Plugin Vulnerabilities

Description

The plugin did not sanitise and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the 'All Quotes" table.

Note: By default, admins and editors are allowed to use JavaScript in posts and page, unless the UNFILTERED_HTML capability is disallowed. However, even with this capability disallowed, the plugin did not sanitise the inputs

Proof of Concept

As an admin (and with the UNFILTERED_HTML disallowed), add a quote with the following payload in the "First Name", "Last Name", "Address", "City", and "Additional Details" fields: <script>alert(/XSS/)</script>

View the 'All Quotes" list to trigger the XSS

Affects Plugins

request-a-quote

Fixed in 2.3.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ajay Sandipan Thorbole

Submitter

Ajay Sandipan Thorbole

Submitter twitter

Verified

Yes

WPVDB ID

426eafb1-0261-4e7e-8c70-75bf4c476f18

Timeline

Publicly Published

2021-06-16 (about 4 years ago)

Added

2021-06-16 (about 4 years ago)

Last Updated

2021-06-21 (about 4 years ago)

Other

Published

Title

Published

2022-02-17

Title

Kunze Law < 2.1 - Admin+ Stored Cross-Site Scripting

Published

2025-09-05

Title

aThemes Addons for Elementor Lite < 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

Published

2024-06-20

Title

Master Slider < 3.10.5 - Reflected Cross-Site Scripting

Published

2024-04-09

Title

Elementor Addons by Livemesh < 8.3.7 - Authenticated(Contributor+) Stored Cross-Site Scripting via widget _id attribute

Published

2025-01-13

Title

Royal Elementor Addons and Templates < 1.7.1007 - Stored XSS via CSRF