Stored Cross-Site Scripting Vulnerability in Instant-Quote.co Plugin for WordPress
CVE-2026-8884

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Instant-quote.co Quotation Page
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-8884?

The Instant-Quote.co Quotation Page plugin for WordPress contains a vulnerability that allows authenticated users with contributor-level access and higher to exploit inadequate input sanitization and output escaping mechanisms. This flaw enables attackers to inject arbitrary web scripts via shortcode attributes, leading to the execution of malicious scripts when a user accesses the affected page. Notably, an attacker can embed malicious shortcodes within a post that, when submitted for review, can execute scripts against higher-privileged users, such as administrators, upon their interaction with the post.

Affected Version(s)

Instant-Quote.co Quotation Page 0 <= 1.3.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/iq-quotation-p...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 18, 2026

Credit

Muhammad Yudha - DJ

CVE-2026-8884 Data

JSON