Back to overview

CVE-2026-14249

HIGH
7.5
CVSS 3.1
Description
The Request a Quote plugin for WordPress is vulnerable to Code Injection in versions up to, and including, 2.5.5 via the emd_delete_file AJAX action. This is due to the emd_delete_file() handler deriving a PHP function name from the attacker-controlled $_POST['path'] parameter and invoking it dynamically via the variable-function call $sess_name(), and the handler being registered for wp_ajax_nopriv with its only protection being a nonce that the plugin prints into the public quote-form page via wp_localize_script. This makes it possible for unauthenticated attackers to invoke arbitrary zero-argument PHP functions on the server, such as phpinfo(), potentially exposing sensitive server configuration and credentials, or executing other destructive built-in PHP functions.

Metadata

CVE ID
CVE-2026-14249
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-06-30 14:10 UTC
Published
2026-07-02 05:35 UTC
Last updated
2026-07-02 05:35 UTC
Primary CWE
CWE-74
CWE-74 Improper Neutralization of Special Elements in Output…
Vendor / Product
emarket-design / Request a Quote – Quote Forms for Any WordPress Site
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
emarket-design Request a Quote – Quote Forms for Any WordPress Site 0 ≤ 2.5.5
Weakness (CWE)
CWESourceDescription
CWE-74 cna CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Back to overview