Dealia WordPress Plugin Allows Contributors to Modify Settings

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.3

Dealia WordPress Plugin Allows Contributors to Modify Settings

CVE-2026-2504

Summary

The Dealia WordPress plugin for creating quotes allows contributors and above to modify plugin settings without permission, potentially allowing unauthorized changes to be made to the plugin's configuration. This issue affects all versions of the plugin up to 1.0.6. To protect your site, update to a patched version of the plugin or consider disabling it until a fix is available.

Original title

Original description

The Dealia – Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.6. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.

nvd CVSS3.1 4.3

Vulnerability type

CWE-862 Missing Authorization

Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026