The plugin did not sanitise and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the 'All Quotes" table. Note: By default, admins and editors are allowed to use JavaScript in posts and page, unless the UNFILTERED_HTML capability is disallowed. However, even with this capability disallowed, the plugin did not sanitise the inputs
As an admin (and with the UNFILTERED_HTML disallowed), add a quote with the following payload in the "First Name", "Last Name", "Address", "City", and "Additional Details" fields: <script>alert(/XSS/)</script>
View the 'All Quotes" list to trigger the XSS