The Quill Forms WordPress plugin (versions up to 3.10.0) contains a stored cross-site scripting vulnerability (CWE-79) in the 'quillforms-popup' shortcode. This vulnerability is due to improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied attributes. Authenticated attackers with contributor-level privileges or higher can exploit this to inject arbitrary JavaScript that executes in the context of users viewing the injected page. The CVSS 3.1 base score is 6.4 (medium), with network attack vector, low attack complexity, privileges required at the contributor level, no user interaction needed, and impacts confidentiality and integrity with no impact on availability. No known exploits are reported in the wild, and no patch or official fix has been documented yet.

An attacker with contributor-level access or higher can inject persistent malicious scripts into pages via the vulnerable shortcode. These scripts execute in the browsers of users who visit the affected pages, potentially leading to unauthorized actions such as session hijacking or data theft. The impact affects confidentiality and integrity but does not affect availability. Since the vulnerability requires authenticated access at contributor level, it limits the attacker scope to users with some level of trust within the WordPress environment.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to restrict contributor-level access to trusted users only and consider removing or disabling the 'quillforms-popup' shortcode usage where possible. Monitor vendor channels for updates and apply patches promptly once released.