CVE-2026-8884 Overview
CVE-2026-8884 is a Stored Cross-Site Scripting (XSS) vulnerability in the Instant-Quote.co Quotation Page plugin for WordPress. The flaw affects all versions of the iq-quotation-page plugin up to and including 1.3.4. The vulnerability stems from insufficient input sanitization and output escaping on shortcode attributes [CWE-79]. Authenticated attackers with Contributor-level access or above can inject arbitrary JavaScript into pages. The injected scripts execute in the browser of any user who views the affected page, including administrators previewing posts submitted for review.
Critical Impact
A Contributor can escalate impact to higher-privileged users by embedding a malicious shortcode in a post submitted for review, triggering script execution when an administrator previews the post.
Affected Products
- Instant-Quote.co Quotation Page plugin for WordPress (iq-quotation-page)
- All versions up to and including 1.3.4
- WordPress sites permitting Contributor-level user registration or self-service accounts
Discovery Timeline
- 2026-05-27 - CVE-2026-8884 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-8884
Vulnerability Analysis
The Instant-Quote.co Quotation Page plugin registers shortcodes that accept user-controlled attributes. The plugin renders these attributes back into page output without applying WordPress escaping functions such as esc_attr() or esc_html(). The vulnerable code paths are located in IQ-quotation-page.php around lines 339 and 429, where shortcode attribute values are concatenated directly into HTML output.
Because the injection point is a shortcode, any user role that can author content containing shortcodes can deliver the payload. WordPress grants Contributors the ability to create posts and submit them for review. When an editor or administrator previews the unpublished submission, the shortcode renders and the attacker-controlled JavaScript executes in the reviewer's authenticated session. This produces a cross-privilege impact, allowing session theft, administrative action forgery, or persistence through the creation of new administrator accounts.
Root Cause
The root cause is missing output escaping on shortcode attribute values combined with absent input sanitization on save. The plugin trusts shortcode parameters as safe HTML context, which violates WordPress secure coding guidance for shortcode handlers.
Attack Vector
The attack vector is network-accessible and requires low-privilege authentication. An attacker registers or compromises a Contributor account, drafts a post containing the plugin's shortcode with a crafted attribute value, and submits the post for review. The payload executes when any authenticated user with higher privileges renders the post in the editor preview or front-end view. The scope changes because Contributor-controlled input compromises Administrator-context script execution. See the WordPress Plugin Code Review at line 339 and line 429 for the unescaped sinks, and the Wordfence Vulnerability Report for additional analysis.
Detection Methods for CVE-2026-8884
Indicators of Compromise
- Posts or pages containing the Instant-Quote plugin shortcode with attribute values that include <script>, onerror=, onload=, javascript:, or HTML-encoded variants of these tokens.
- Unexpected creation of WordPress administrator accounts or modification of user roles shortly after a Contributor-submitted post is previewed.
- Outbound HTTP requests from administrator browsers to attacker-controlled domains immediately after viewing a draft post.
- Modified wp_options or wp_users records authored by sessions that match administrator logins triggered from a post preview workflow.
Detection Strategies
- Query the wp_posts table for post_content entries containing the Instant-Quote shortcode and inspect attribute values for HTML or JavaScript tokens.
- Deploy a web application firewall (WAF) rule that inspects POST requests to /wp-admin/post.php and /wp-admin/post-new.php for shortcode payloads containing script-context characters.
- Correlate Contributor post submissions with subsequent privileged account changes within a short time window.
Monitoring Recommendations
- Enable WordPress audit logging to capture role assignments, plugin installations, and option changes performed in administrator sessions.
- Monitor reverse proxy or CDN logs for anomalous JavaScript fetch patterns originating from /wp-admin/ referrers.
- Alert on new user registrations followed by post submissions containing the affected shortcode.
How to Mitigate CVE-2026-8884
Immediate Actions Required
- Deactivate the Instant-Quote.co Quotation Page plugin until a patched release is available.
- Audit existing draft, pending, and published posts for the plugin shortcode and remove any entries with suspicious attribute content.
- Review the WordPress user list and revoke unrecognized Contributor, Author, Editor, or Administrator accounts.
- Force password resets for all privileged accounts that may have previewed attacker-submitted content.
Patch Information
No fixed version has been published in the data available at NVD at the time of disclosure. Track the Wordfence Vulnerability Report and the plugin's WordPress.org repository for an updated release that applies esc_attr() and wp_kses_post() to shortcode attribute output.
Workarounds
- Restrict Contributor registration by disabling open user registration in Settings → General and requiring administrator approval.
- Remove the unfiltered_html capability from non-administrator roles using a role management plugin.
- Apply a WAF signature that blocks shortcode attribute values containing HTML script delimiters until a patched plugin version is installed.
- Configure administrators to preview submissions only in a separate, unprivileged browser profile to limit blast radius.
# Configuration example: temporarily disable the vulnerable plugin via WP-CLI
wp plugin deactivate iq-quotation-page
# Search the database for existing instances of the shortcode
wp db query "SELECT ID, post_status, post_author FROM wp_posts WHERE post_content LIKE '%[iq-quotation%'"
# Remove the unfiltered_html capability from lower-privileged roles
wp cap remove contributor unfiltered_html
wp cap remove author unfiltered_html
wp cap remove editor unfiltered_html
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
