Stored Cross-Site Scripting Vulnerability in Quill Forms Plugin for WordPress
CVE-2024-11826

6.4MEDIUM

Key Information:

Vendor: Mdmag
Status: Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation Or Donation Form On WordPress
Vendor: CVE Published:; 7 January 2025

Summary

The Quill Forms plugin for WordPress contains a security flaw that allows authenticated users with contributor-level access and above to exploit stored cross-site scripting. This occurs through the plugin's 'quillforms-popup' shortcode, where insufficient sanitization of input and escaping of output can enable the injection of arbitrary scripts. Consequently, these web scripts may execute on pages accessed by users, posing a significant risk to the integrity and security of WordPress sites utilizing this plugin. It is crucial for site administrators to upgrade to secure versions and implement proper safety measures.

Affected Version(s)

Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress * <= 3.10.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3214019/quil...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 7, 2025
Vulnerability Reserved
Nov 26, 2024

Credit

Youcef Hamdani