CVE-2026-14249
Received Received - Intake

Code Injection in WordPress Request a Quote Plugin

Vulnerability report for CVE-2026-14249, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Wordfence

Description

The Request a Quote plugin for WordPress is vulnerable to Code Injection in versions up to, and including, 2.5.5 via the emd_delete_file AJAX action. This is due to the emd_delete_file() handler deriving a PHP function name from the attacker-controlled $_POST['path'] parameter and invoking it dynamically via the variable-function call $sess_name(), and the handler being registered for wp_ajax_nopriv with its only protection being a nonce that the plugin prints into the public quote-form page via wp_localize_script. This makes it possible for unauthenticated attackers to invoke arbitrary zero-argument PHP functions on the server, such as phpinfo(), potentially exposing sensitive server configuration and credentials, or executing other destructive built-in PHP functions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpressextensions request_a_quote to 2.5.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Request a Quote plugin for WordPress versions up to and including 2.5.5 has a code injection vulnerability via the emd_delete_file AJAX action.

This happens because the emd_delete_file() handler takes a PHP function name from an attacker-controlled POST parameter called 'path' and calls it dynamically without proper validation.

The handler is registered for unauthenticated AJAX requests and only protected by a nonce that is publicly available on the quote form page, allowing attackers to invoke arbitrary zero-argument PHP functions on the server.

This can lead to execution of dangerous PHP functions like phpinfo(), which can expose sensitive server information or allow other destructive actions.

Impact Analysis

This vulnerability allows unauthenticated attackers to execute arbitrary zero-argument PHP functions on the server hosting the vulnerable plugin.

Potential impacts include exposure of sensitive server configuration and credentials if functions like phpinfo() are invoked.

Attackers might also execute other destructive built-in PHP functions, potentially compromising the integrity of the server or application.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14249. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart