Threat Entry Updated 2024-11-23

CVE-2024-10874 - Quotes Llama Plugin

The Quotes llama plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'quotes-llama' shortcode in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Quotes Llama

CVE-2024-10874

MEDIUM CVSS 6.4 2024-11-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-1566 - Quotes Llama Plugin

The Quotes llama WordPress plugin before 1.0.0 does not sanitise and escape Quotes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. The attack could also be performed by tricking an admin to import a malicious CSV file

PLUGIN Quotes Llama

CVE-2022-1566

MEDIUM CVSS 4.8 2022-05-30

Risk Score

Open Full Technical Breakdown