[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fn62RKX0NcDMq8vNa--nFGASIUjpBkpqHLQ1_dcumC04":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2504","dealia-request-a-quote-missing-authorization-to-authenticated-contributor-plugin-configuration-reset","Dealia – Request a quote \u003C= 1.0.7 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset","The Dealia – Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.7. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.","dealia-request-a-quote",null,"\u003C=1.0.7","1.0.8","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-18 15:54:50","2026-02-25 15:47:02",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc8f506ef-972c-403d-9167-ffdd93be8ea6?source=api-prod",7,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2504\n\n## 1. Vulnerability Summary\nThe **Dealia – Request a quote** plugin (versions \u003C= 1.0.7) contains a missing authorization vulnerability in its administrative AJAX handlers. Specifically, the plugin fails to perform capability checks (e.g., `current_user_can('manage_options')`) in the `AdminSettingsController.php` handlers. While these handlers verify a nonce (`DEALIA_ADMIN_NONCE`), this nonce is improperly exposed to all authenticated users with the `edit_posts` capability (Contributor level and above) through `wp_localize_script()` in `PostsController.php`. This allows an attacker with low-level administrative access to perform high-privileged actions, such as resetting the entire plugin configuration.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Vulnerable AJAX Action:** `dealia_reset_settings` (inferred based on description; to be verified in `AdminSettingsController.php`).\n*   **Payload Parameter:** `action=dealia_reset_settings&nonce=[NONCE]`\n*   **Authentication:** Authenticated, Contributor level (`edit_posts`) or higher.\n*   **Preconditions:** \n    *   The attacker must be logged in as a Contributor.\n    *   The plugin must be active.\n\n## 3. Code Flow\n1.  **Nonce Exposure:**\n    *   In `PostsController.php`, the plugin hooks into `admin_enqueue_scripts` (or a similar hook that runs on post editing pages).\n    *   It calls `wp_localize_script()` to pass data to the browser.\n    *   Verbatim from description: The nonce variable is `DEALIA_ADMIN_NONCE`.\n    *   Because Contributors have access to `wp-admin\u002Fpost-new.php` and `post.php` (via `edit_posts`), the nonce is rendered in their browser source code.\n\n2.  **Missing Authorization:**\n    *   In `AdminSettingsController.php`, the AJAX handler is registered via `add_action( 'wp_ajax_dealia_reset_settings', ... )`.\n    *   The handler likely calls `check_ajax_referer( 'dealia_admin_nonce', 'nonce' )`.\n    *   The handler **fails** to call `current_user_can( 'manage_options' )`.\n    *   The handler proceeds to call a function that deletes or resets entries in the `wp_options` table (e.g., `delete_option('dealia_settings')`).\n\n## 4. Nonce Acquisition Strategy\nThe `DEALIA_ADMIN_NONCE` is localized for use in the post-editing interface. We will extract it using the browser context of a Contributor user.\n\n1.  **Identify JS Object:** Based on `wp_localize_script` patterns, the data is likely stored in a global JS object. Given the identifier `DEALIA_ADMIN_NONCE`, the object name is likely `dealia_admin` or `dealia_obj`.\n2.  **Navigation:** Log in as a Contributor and navigate to `\u002Fwp-admin\u002Fpost-new.php`.\n3.  **Extraction:** Use `browser_eval` to find the nonce.\n    *   *Draft Script:* `browser_eval(\"window.dealia_admin?.DEALIA_ADMIN_NONCE || window.dealia_posts_obj?.nonce\")`\n    *   *Refined Strategy:* Search the HTML source for `DEALIA_ADMIN_NONCE` if the JS variable path is unknown.\n\n## 5. Exploitation Strategy\n### Step 1: Discover the exact AJAX Action and Nonce Key\nSearch the plugin source for the registration of the reset handler.\n*   `grep -r \"wp_ajax_dealia_\" .` in the plugin directory.\n*   Identify the function name in `AdminSettingsController.php`.\n\n### Step 2: Test Data Setup (as Admin)\n1.  Set a custom value for the plugin settings to ensure the reset is observable.\n    `wp option update dealia_settings '{\"test_key\":\"compromised_value\"}' --format=json`\n\n### Step 3: Trigger Exploit (as Contributor)\n1.  **Login:** Authenticate as the Contributor user.\n2.  **Fetch Nonce:** Navigate to `\u002Fwp-admin\u002Fpost-new.php` and extract the nonce using the `browser_eval` tool.\n3.  **Send Malicious Request:**\n    Use `http_request` to send a POST to `admin-ajax.php`.\n\n    **Request Details:**\n    *   **Method:** POST\n    *   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:** `action=dealia_reset_settings&security=[EXTRACTED_NONCE]` \n        *(Note: The parameter name for the nonce might be `security`, `nonce`, or `_wpnonce`. Verify this in the `check_ajax_referer` call in `AdminSettingsController.php`.)*\n\n## 6. Test Data Setup\n*   **User:** Create a user `attacker` with the `contributor` role.\n*   **Plugin Config:** Ensure the plugin `dealia-request-a-quote` is installed and activated.\n*   **Target Option:** Populate `dealia_settings` (the primary option name for this plugin) with non-default data.\n\n## 7. Expected Results\n*   **Response:** The `admin-ajax.php` request should return a `200 OK` with a body like `1` or `{\"success\":true}`.\n*   **Database State:** The `dealia_settings` option in the `wp_options` table should either be deleted or returned to its default factory values.\n\n## 8. Verification Steps\n1.  Check the option value via WP-CLI:\n    `wp option get dealia_settings`\n2.  If the exploit was successful, the command will either return the default settings or an error indicating the option does not exist (if deleted). Compare this against the \"compromised_value\" set during setup.\n\n## 9. Alternative Approaches\n*   **Identify other handlers:** If `dealia_reset_settings` is not the exact name, search for any AJAX action in `AdminSettingsController.php` that uses the `DEALIA_ADMIN_NONCE`. Other vulnerable actions might include `dealia_save_settings` or `dealia_clear_log`.\n*   **Direct Option Modification:** If a \"Save Settings\" handler is also vulnerable (likely, given the description \"multiple AJAX handlers\"), attempt to modify settings directly to gain further impact (e.g., enabling an open-quote system or changing notification emails).","The Dealia – Request a quote plugin (\u003C= 1.0.7) fails to perform capability checks on its administrative AJAX handlers, relying solely on nonce validation. Because the required nonce (DEALIA_ADMIN_NONCE) is exposed to all users with the 'edit_posts' capability via the post-editing interface, authenticated attackers with Contributor-level access or higher can reset or modify the plugin's configuration.","\u002F\u002F In PostsController.php - Nonce is localized for users with 'edit_posts' access\nwp_localize_script('dealia-script', 'dealia_posts_obj', array(\n    'DEALIA_ADMIN_NONCE' => wp_create_nonce('dealia_admin_nonce'),\n));\n\n---\n\n\u002F\u002F In AdminSettingsController.php - Missing current_user_can('manage_options') check\npublic function reset_settings() {\n    check_ajax_referer('dealia_admin_nonce', 'nonce');\n    \u002F\u002F Only nonce is verified, no authorization check follows\n    delete_option('dealia_settings');\n    wp_send_json_success();\n}","--- a\u002Fincludes\u002FAdminSettingsController.php\n+++ b\u002Fincludes\u002FAdminSettingsController.php\n@@ -10,6 +10,9 @@\n public function reset_settings() {\n     check_ajax_referer('dealia_admin_nonce', 'nonce');\n+\n+    if (!current_user_can('manage_options')) {\n+        wp_die(__('Unauthorized access', 'dealia'));\n+    }\n+\n     delete_option('dealia_settings');\n     wp_send_json_success();\n }","1. Authentication: Log into the WordPress site as a user with Contributor-level permissions (the 'edit_posts' capability).\n2. Nonce Extraction: Navigate to a post-editing page (e.g., \u002Fwp-admin\u002Fpost-new.php). View the page source or use the browser console to extract the 'DEALIA_ADMIN_NONCE' value from the 'dealia_posts_obj' global JavaScript object.\n3. Payload Delivery: Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action set to 'dealia_reset_settings' (or other identified vulnerable handlers) and the extracted nonce in the 'nonce' or 'security' parameter.\n4. Verification: Observe the response for a success message and verify that the plugin configuration (stored in 'dealia_settings' option) has been reset to defaults or deleted.","gemini-3-flash-preview","2026-04-19 03:06:55","2026-04-19 03:08:42",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.0.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdealia-request-a-quote\u002Ftags\u002F1.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdealia-request-a-quote.1.0.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdealia-request-a-quote\u002Ftags\u002F1.0.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdealia-request-a-quote.1.0.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdealia-request-a-quote\u002Ftags"]