– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-2504:
The Dealia – Request a quote WordPress plugin version 1.0.7 and earlier contains a missing authorization vulnerability in multiple AJAX handlers. This allows authenticated users with Contributor-level permissions or higher to reset the plugin’s configuration and perform administrative actions.

Atomic Edge research identifies the root cause in two components. The PostsController.php file exposes the administrative nonce to users with edit_posts capability via wp_localize_script() at line 50. This nonce was previously defined as a constant DEALIA_ADMIN_NONCE in the main plugin file. The AdminSettingsController.php file contains AJAX handlers (login, create_account, reset, refresh, save_additional_settings) that verify this nonce but lack capability checks. These handlers only perform wp_verify_nonce() calls against DEALIA_ADMIN_NONCE without validating current_user_can(‘manage_options’).

Exploitation requires an authenticated attacker with at least Contributor permissions. The attacker obtains the DEALIA_ADMIN_NONCE value from the localized JavaScript variables when editing posts. They then craft POST requests to /wp-admin/admin-ajax.php with action parameters matching the vulnerable handlers: dealia_ajax_reset, dealia_ajax_login, dealia_ajax_manage_account, dealia_ajax_refresh, or dealia_save_additional_settings. Each request includes the _wpnonce parameter containing the exposed nonce value. The reset handler at AdminSettingsController.php line 426-443 is particularly impactful as it calls delete_option(‘dealia_options’), completely removing plugin configuration.

The patch in version 1.0.8 addresses the vulnerability through multiple changes. The DEALIA_ADMIN_NONCE constant is removed from dealia-request-a-quote.php. Each AJAX handler in AdminSettingsController.php now includes a capability check: if ( ! current_user_can( ‘manage_options’ ) ) { wp_send_json_error( [ ‘message’ => ‘Unauthorized’ ], 403 ); }. The nonce verification changes from DEALIA_ADMIN_NONCE to ‘dealia_admin_nonce’ created via wp_create_nonce(). The PostsController.php separates nonce usage, creating ‘dealia_post_nonce’ for post editing functions. Additional capability checks are added to FormsController.php and ProductsController.php methods.

Successful exploitation allows authenticated attackers with Contributor or higher permissions to reset the plugin configuration, potentially disrupting e-commerce functionality. Attackers can delete the dealia_options database entry, disconnect the plugin from external services, and modify integration settings. This could lead to loss of quote request functionality, broken product forms, and disruption of the WooCommerce integration. The vulnerability does not provide direct privilege escalation to WordPress administrative access but allows unauthorized modification of plugin data.