PT-2026-54640 · Emarket Design · Request A Quote – Quote Forms For Any Wordpress Site

Mitchell

·

Published

2026-07-02

·

Updated

2026-07-02

·

CVE-2026-14249

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
The Request a Quote plugin for WordPress is vulnerable to Code Injection in versions up to, and including, 2.5.5 via the emd delete file AJAX action. This is due to the emd delete file() handler deriving a PHP function name from the attacker-controlled $ POST['path'] parameter and invoking it dynamically via the variable-function call $sess name(), and the handler being registered for wp ajax nopriv with its only protection being a nonce that the plugin prints into the public quote-form page via wp localize script. This makes it possible for unauthenticated attackers to invoke arbitrary zero-argument PHP functions on the server, such as phpinfo(), potentially exposing sensitive server configuration and credentials, or executing other destructive built-in PHP functions.

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-14249

Affected Products

Request A Quote – Quote Forms For Any Wordpress Site