CVE-2026-8884 neilmccutcheon CVE debrief

Who should care

WordPress site administrators using the Instant-Quote.co Quotation Page plugin; security teams managing multi-author WordPress environments with contributor-level access; developers maintaining WordPress plugins with shortcode functionality

Technical summary

The Instant-Quote.co Quotation Page plugin fails to sanitize and escape input within shortcode attributes before rendering output. This allows authenticated users with contributor or higher privileges to inject JavaScript payloads through shortcode parameters. When embedded in posts—particularly those submitted for administrator review—these payloads execute in the context of higher-privileged users' browsers. The vulnerability affects all plugin versions through 1.3.4 and represents a stored XSS condition with scope change (S:C) in the CVSS calculation, indicating impact beyond the vulnerable component's security authority.

Defensive priority

medium

Recommended defensive actions

• Update the Instant-Quote.co Quotation Page plugin to version 1.3.5 or later if available
• Implement least-privilege access controls; review and restrict contributor-level accounts where possible
• Deploy Content Security Policy (CSP) headers to mitigate impact of XSS payloads
• Enable WordPress automatic updates for plugins to reduce exposure window
• Review post preview and review workflows for additional output sanitization controls
• Monitor for suspicious shortcode usage in post content and pending review queues

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository source code references. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as primary weakness. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Official resources