CVE-2026-2504
Awaiting Analysis Awaiting Analysis - Queue
Unauthorized Data Modification in Dealia WordPress Plugin via Missing Capability Checks

Publication date: 2026-02-19

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Dealia – Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.7. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2504
EUVD
EUVD-2026-8231
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
dealia request_a_quote 1.0.6
dealia request_a_quote 1.0.8
dealia request_a_quote to 1.0.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Dealia – Request a quote plugin for WordPress has a vulnerability due to missing capability checks on multiple AJAX handlers in all versions up to and including 1.0.6. Specifically, the admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with the edit_posts capability (Contributor level and above) via wp_localize_script() in PostsController.php. However, the AJAX handlers in AdminSettingsController.php only verify the nonce without checking if the user has the 'manage_options' capability. This flaw allows authenticated users with Contributor-level access or higher to reset the plugin configuration without proper authorization.

Impact Analysis

This vulnerability allows authenticated users with Contributor-level access or higher to modify the plugin's configuration without proper authorization. This unauthorized modification could lead to changes in how the plugin operates, potentially disrupting website functionality or security settings controlled by the plugin.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should restrict access to the Dealia – Request a quote plugin's AJAX handlers by ensuring that only users with appropriate capabilities (such as 'manage_options') can execute them.

Specifically, update or patch the plugin to a version that includes proper capability checks on the AJAX handlers, or if a patch is not yet available, temporarily limit user roles to prevent Contributors or lower from accessing the plugin's functionality.

Additionally, monitor and audit user roles and permissions to ensure that only trusted users have Contributor-level access or higher.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2504. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart