Request a Quote < 2.3.4 - Authenticated Stored XSS
The plugin did not sanitise and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the 'All Quotes" table.
Proof of Concept
As an admin (and with the UNFILTERED_HTML disallowed), add a quote with the following payload in the "First Name", "Last Name", "Address", "City", and "Additional Details" fields: <script>alert(/XSS/)</script>
View the 'All Quotes" list to trigger the XSS