Inspirational Quote Rotator <= 1.0.0 – Admin+ Stored Cross-Site Scripting | CVE 2021-24771 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the "Quotes list" even when the unfiltered_html capability is disallowed

Proof of Concept

Add/edit a quote (/wp-admin/options-general.php?page=iqr-settings) and put the following payload in the Title or Content: <script>alert(/XSS/)</script>

Affects Plugins

inspirational-quote-rotator

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Vishal Mohan

Submitter

Vishal Mohan

Verified

Yes

WPVDB ID

a6d57fda-79a7-4bf8-b18e-8cf0a4efd1b3

Timeline

Publicly Published

2021-11-15 (about 4 years ago)

Added

2021-11-15 (about 4 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2025-10-21

Title

Mixlr Shortcode <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2023-10-16

Title

bbp style pack < 5.6.8 - Contributor+ Stored XSS

Published

2024-01-05

Title

Oxygen Builder < 4.8.1 - Contributor+ Stored XSS

Published

2014-08-01

Title

Shoutbox - Unspecified XSS

Published

2025-09-17

Title

Ghost Kit < 3.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting