CVE-2026-2504

Name of the Vulnerable Software and Affected Versions Dealia – Request a quote plugin for WordPress versions through 1.0.6

Description The Dealia – Request a quote plugin for WordPress is susceptible to unauthorized data modification. This is due to insufficient capability checks within multiple AJAX handlers. The DEALIA ADMIN NONCE is exposed to users with edit posts capability (Contributor+) through wp localize script() in PostsController.php. Additionally, AJAX handlers in AdminSettingsController.php only validate the nonce without verifying if the current user has 'manage options' capability. This allows authenticated attackers with Contributor-level access or higher to reset the plugin configuration.

Recommendations Update to a version beyond 1.0.6.