Vulnerability-Lookup

CVE-2026-2504 (GCVE-0-2026-2504)

Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-19 21:14

Title

Dealia – Request a quote <= 1.0.6 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset

Summary

The Dealia – Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.6. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-862 - Missing Authorization

Assigner

Wordfence

References

URL

Tags

	https://www.wordfence.com/threat-intel/vulnerabil…
	https://plugins.trac.wordpress.org/browser/dealia…
	https://plugins.trac.wordpress.org/browser/dealia…
	https://plugins.trac.wordpress.org/browser/dealia…
	https://plugins.trac.wordpress.org/browser/dealia…
	https://plugins.trac.wordpress.org/browser/dealia…
	https://plugins.trac.wordpress.org/browser/dealia…

Impacted products

	Vendor	Product	Version
	dealia	Dealia – Request a quote	Affected: * , ≤ 1.0.6 (semver)

Credits

Ronnachai Sretawat Na Ayutaya

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2504",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-19T21:14:05.072101Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-19T21:14:23.380Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Dealia \u2013 Request a quote",
          "vendor": "dealia",
          "versions": [
            {
              "lessThanOrEqual": "1.0.6",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ronnachai Sretawat Na Ayutaya"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Dealia \u2013 Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.6. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can(\u0027manage_options\u0027). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-19T04:36:23.492Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c8f506ef-972c-403d-9167-ffdd93be8ea6?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L243"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L309"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L416"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/PostsController.php#L49"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/src/Controllers/AdminSettingsController.php#L243"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/src/Controllers/PostsController.php#L49"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-18T15:54:50.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Dealia \u2013 Request a quote \u003c= 1.0.6 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-2504",
    "datePublished": "2026-02-19T04:36:23.492Z",
    "dateReserved": "2026-02-13T22:10:20.072Z",
    "dateUpdated": "2026-02-19T21:14:23.380Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-2504\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-02-19T07:17:46.740\",\"lastModified\":\"2026-02-19T15:52:39.260\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Dealia \u2013 Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.6. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can(\u0027manage_options\u0027). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L243\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L309\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L416\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/PostsController.php#L49\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/src/Controllers/AdminSettingsController.php#L243\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/src/Controllers/PostsController.php#L49\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/c8f506ef-972c-403d-9167-ffdd93be8ea6?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-2504\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-19T21:14:05.072101Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-19T21:14:18.356Z\"}}], \"cna\": {\"title\": \"Dealia \\u2013 Request a quote \u003c= 1.0.6 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Ronnachai Sretawat Na Ayutaya\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"dealia\", \"product\": \"Dealia \\u2013 Request a quote\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"1.0.6\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-02-18T15:54:50.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/c8f506ef-972c-403d-9167-ffdd93be8ea6?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L243\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L309\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L416\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/PostsController.php#L49\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/src/Controllers/AdminSettingsController.php#L243\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/src/Controllers/PostsController.php#L49\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Dealia \\u2013 Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.6. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can(\u0027manage_options\u0027). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-02-19T04:36:23.492Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-2504\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-19T21:14:23.380Z\", \"dateReserved\": \"2026-02-13T22:10:20.072Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-02-19T04:36:23.492Z\", \"assignerShortName\": \"Wordfence\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-F4VX-R87Q-VG6C

Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-19 18:31

Details

Severity ?

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-2504"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-19T07:17:46Z",
    "severity": "MODERATE"
  },
  "details": "The Dealia \u2013 Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.6. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can(\u0027manage_options\u0027). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.",
  "id": "GHSA-f4vx-r87q-vg6c",
  "modified": "2026-02-19T18:31:51Z",
  "published": "2026-02-19T18:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2504"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L243"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L309"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L416"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/PostsController.php#L49"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/src/Controllers/AdminSettingsController.php#L243"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/src/Controllers/PostsController.php#L49"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c8f506ef-972c-403d-9167-ffdd93be8ea6?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2026-2504

Vulnerability from fkie_nvd - Published: 2026-02-19 07:17 - Updated: 2026-02-19 15:52

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Summary

References

	URL	Tags
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L243
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L309
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L416
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/PostsController.php#L49
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/src/Controllers/AdminSettingsController.php#L243
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/src/Controllers/PostsController.php#L49
	security@wordfence.com	https://www.wordfence.com/threat-intel/vulnerabilities/id/c8f506ef-972c-403d-9167-ffdd93be8ea6?source=cve

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Dealia \u2013 Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.6. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can(\u0027manage_options\u0027). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration."
    }
  ],
  "id": "CVE-2026-2504",
  "lastModified": "2026-02-19T15:52:39.260",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security@wordfence.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-19T07:17:46.740",
  "references": [
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L243"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L309"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L416"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/PostsController.php#L49"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/src/Controllers/AdminSettingsController.php#L243"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/src/Controllers/PostsController.php#L49"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c8f506ef-972c-403d-9167-ffdd93be8ea6?source=cve"
    }
  ],
  "sourceIdentifier": "security@wordfence.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security@wordfence.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-2504 (GCVE-0-2026-2504)

GHSA-F4VX-R87Q-VG6C

FKIE_CVE-2026-2504

Tags

Sightings

Nomenclature