WordPress · Dealia – Request A Quote · CVE-2026-2504
**Name of the Vulnerable Software and Affected Versions**
Dealia – Request a quote plugin for WordPress versions through 1.0.6
**Description**
The Dealia – Request a quote plugin for WordPress is susceptible to unauthorized data modification. This is due to insufficient capability checks within multiple AJAX handlers. The `DEALIA ADMIN NONCE` is exposed to users with edit posts capability (Contributor+) through `wp localize script()` in `PostsController.php`. Additionally, AJAX handlers in `AdminSettingsController.php` only validate the nonce without verifying if the current user has 'manage options' capability. This allows authenticated attackers with Contributor-level access or higher to reset the plugin configuration.
**Recommendations**
Update to a version beyond 1.0.6.