Description
The Dealia – Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.7. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized plugin configuration reset via contributor-level access
Action: Update Plugin
AI Analysis

Impact

The Dealia – Request a quote plugin for WordPress allows authenticated users with Contributor-level or higher roles to reset the plugin configuration by exploiting missing capability checks. The admin nonce is publicly exposed to anyone with edit_posts permission, while AJAX handlers only verify the nonce and do not confirm manage_options capability. An attacker who can edit posts can thus send requests that reset configuration, potentially disrupting request quoting features. This flaw does not grant code execution or access to higher privileges but compromises the integrity of the plugin’s settings.

Affected Systems

All WordPress installations running the Dealia – Request a quote plugin up to and including version 1.0.7 are affected. The flaw exists in the AdminSettingsController and PostsController files, and any site that has that plugin active, regardless of its WordPress version. Administrations that rely on the plugin’s configuration for quoting or lead capture are at risk. Upgrading to a released version beyond 1.0.7 removes the vulnerability.

Risk and Exploitability

The CVSS base score is 4.3, indicating a moderate impact. The EPSS score for the vulnerability is below 1%; therefore exploitation is considered unlikely at present. The flaw is not listed in the CISA KEV catalog, so no publicly known exploit has been identified. Attackers need authenticated access with edit_posts permission, and the attack vector is likely an internal or compromised contributor account. No remote code execution or data exfiltration is possible; the primary risk is the loss of configuration data.

Generated by OpenCVE AI on April 15, 2026 at 17:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Dealia – Request a quote plugin to the latest version (1.0.8 or newer) where the capability checks have been added.
  • If an upgrade is not immediately possible, disable the AJAX endpoints that lack proper permissions by removing or commenting out the relevant functions in AdminSettingsController or patching the file to add current_user_can('manage_options') checks.
  • Restrict contributor and editor roles from accessing pages that expose the admin nonce, or modify wp_localize_script usage to hide the nonce from non-administrators.

Generated by OpenCVE AI on April 15, 2026 at 17:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Dealia – Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.6. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration. The Dealia – Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.7. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.
Title Dealia – Request a quote <= 1.0.6 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset Dealia – Request a quote <= 1.0.7 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Dealia
Dealia dealia – Request A Quote
Wordpress
Wordpress wordpress
Vendors & Products Dealia
Dealia dealia – Request A Quote
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Dealia – Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.6. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.
Title Dealia – Request a quote <= 1.0.6 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Dealia Dealia – Request A Quote
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:43.481Z

Reserved: 2026-02-13T22:10:20.072Z

Link: CVE-2026-2504

cve-icon Vulnrichment

Updated: 2026-02-19T21:14:18.356Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:46.740

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:15:10Z

Weaknesses