Threat Entry Updated 2026-04-15

CVE-2026-2718 - Request A Quote Plugin

The Dealia – Request a Quote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gutenberg block attributes in all versions up to, and including, 1.0.8. This is due to the use of `wp_kses()` for output escaping within HTML attribute contexts where `esc_attr()` is required. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Request A Quote

CVE-2026-2718

MEDIUM CVSS 6.4 2026-02-19

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-2504 - Request A Quote Plugin

The Dealia – Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.7. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.

PLUGIN Request A Quote

CVE-2026-2504

MEDIUM CVSS 4.3 2026-02-19

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-20

CVE-2024-6231 - Request A Quote Plugin

The Request a Quote WordPress plugin before 2.4.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Request A Quote

CVE-2024-6231

MEDIUM CVSS 5.9 2024-07-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-2240 - Request A Quote Plugin

The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it

PLUGIN Request A Quote

CVE-2022-2240

HIGH CVSS 8.8 2022-07-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-2239 - Request A Quote Plugin

The Request a Quote WordPress plugin before 2.3.9 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Request A Quote

CVE-2022-2239

MEDIUM CVSS 4.8 2022-07-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24489 - Request A Quote Plugin

The Request a Quote WordPress plugin before 2.3.9 does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed.

PLUGIN Request A Quote

CVE-2021-24489

MEDIUM CVSS 4.8 2021-10-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24420 - Request A Quote Plugin

The Request a Quote WordPress plugin before 2.3.4 did not sanitise and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the 'All Quotes" table.

PLUGIN Request A Quote

CVE-2021-24420

MEDIUM CVSS 5.4 2021-07-12

Risk Score

Open Full Technical Breakdown