CVE-2026-2504
Unauthorized Data Modification in Dealia WordPress Plugin via Missing Capability Checks
Publication date: 2026-02-19
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dealia | request_a_quote | 1.0.6 |
| dealia | request_a_quote | 1.0.8 |
| dealia | request_a_quote | to 1.0.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Dealia β Request a quote plugin for WordPress has a vulnerability due to missing capability checks on multiple AJAX handlers in all versions up to and including 1.0.6. Specifically, the admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with the edit_posts capability (Contributor level and above) via wp_localize_script() in PostsController.php. However, the AJAX handlers in AdminSettingsController.php only verify the nonce without checking if the user has the 'manage_options' capability. This flaw allows authenticated users with Contributor-level access or higher to reset the plugin configuration without proper authorization.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with Contributor-level access or higher to modify the plugin's configuration without proper authorization. This unauthorized modification could lead to changes in how the plugin operates, potentially disrupting website functionality or security settings controlled by the plugin.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should restrict access to the Dealia β Request a quote plugin's AJAX handlers by ensuring that only users with appropriate capabilities (such as 'manage_options') can execute them.
Specifically, update or patch the plugin to a version that includes proper capability checks on the AJAX handlers, or if a patch is not yet available, temporarily limit user roles to prevent Contributors or lower from accessing the plugin's functionality.
Additionally, monitor and audit user roles and permissions to ensure that only trusted users have Contributor-level access or higher.