The plugin does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the “Quotes list” even when the unfiltered_html capability is disallowed
Add/edit a quote (/wp-admin/options-general.php?page=iqr-settings) and put the following payload in the Title or Content:
CPE | Name | Operator | Version |
---|---|---|---|
inspirational-quote-rotator | eq | * |