PT-2026-54640 · Emarket Design · Request A Quote – Quote Forms For Any Wordpress Site
Mitchell
·
Published
2026-07-02
·
Updated
2026-07-02
·
CVE-2026-14249
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
The Request a Quote plugin for WordPress is vulnerable to Code Injection in versions up to, and including, 2.5.5 via the emd delete file AJAX action. This is due to the emd delete file() handler deriving a PHP function name from the attacker-controlled $ POST['path'] parameter and invoking it dynamically via the variable-function call $sess name(), and the handler being registered for wp ajax nopriv with its only protection being a nonce that the plugin prints into the public quote-form page via wp localize script. This makes it possible for unauthenticated attackers to invoke arbitrary zero-argument PHP functions on the server, such as phpinfo(), potentially exposing sensitive server configuration and credentials, or executing other destructive built-in PHP functions.
Fix
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Request A Quote – Quote Forms For Any Wordpress Site