PT-2026-20642 · WordPress · Dealia – Request A Quote
Ronnachai Sretawat Na Ayutaya
+1
·
Published
2026-02-19
·
Updated
2026-02-19
·
CVE-2026-2504
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Dealia – Request a quote plugin for WordPress versions through 1.0.6
Description
The Dealia – Request a quote plugin for WordPress is susceptible to unauthorized data modification. This is due to insufficient capability checks within multiple AJAX handlers. The
DEALIA ADMIN NONCE is exposed to users with edit posts capability (Contributor+) through wp localize script() in PostsController.php. Additionally, AJAX handlers in AdminSettingsController.php only validate the nonce without verifying if the current user has 'manage options' capability. This allows authenticated attackers with Contributor-level access or higher to reset the plugin configuration.Recommendations
Update to a version beyond 1.0.6.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dealia – Request A Quote