CVE-2026-14249
WordPress Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-14249 is a code injection vulnerability in the "Request a Quote – Quote Forms for Any WordPress Site" plugin by emarket-design, affecting versions up to and including 2.5.5. The flaw allows unauthenticated remote attackers to invoke arbitrary zero-argument PHP functions on the server via the emd_delete_file AJAX action. It was published and disclosed on July 2, 2026, with a patch made available the same day. The vulnerability carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Wordfence).

Détails techniques

The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-94 (Code Injection). The emd_delete_file() handler reads the attacker-controlled $_POST['path'] parameter, derives a PHP function name from it, and invokes it dynamically using PHP's variable-function call syntax ($sess_name()). While the handler is registered under wp_ajax_nopriv (accessible to unauthenticated users) and protected by a nonce, the nonce is publicly exposed on the quote-form page via wp_localize_script, rendering the protection ineffective. This allows any unauthenticated network attacker to call arbitrary zero-argument PHP built-in functions such as phpinfo(), phpversion(), or potentially destructive functions (GitHub Advisory, Wordfence).

Impact

Successful exploitation allows unauthenticated attackers to invoke arbitrary zero-argument PHP functions on the server, which can expose sensitive server configuration details and credentials (e.g., via phpinfo()), or trigger destructive built-in PHP functions that compromise system integrity. The primary impact is high integrity risk, with potential secondary confidentiality exposure through information disclosure of server environment variables, PHP configuration, and loaded extensions. While the vulnerability is constrained to zero-argument functions (limiting direct remote code execution to arbitrary commands), it can still facilitate reconnaissance and further exploitation of the affected WordPress environment (GitHub Advisory, Wordfence).

Étapes d’exploitation

  1. Reconnaissance: Identify WordPress sites running the "Request a Quote" plugin version ≤ 2.5.5 using tools like WPScan, Shodan, or by checking /wp-content/plugins/request-a-quote/ for version indicators.
  2. Obtain the nonce: Visit any public page on the target site that renders the quote form. The plugin outputs the nonce value in the page's JavaScript via wp_localize_script, making it readable from the page source or browser developer tools.
  3. Craft the malicious AJAX request: Send an HTTP POST request to /?action=emd_delete_file (or the site's AJAX endpoint, typically wp-admin/admin-ajax.php), setting the action parameter to emd_delete_file, the nonce parameter to the extracted nonce value, and the path parameter to the name of the target PHP function (e.g., phpinfo).
  4. Invoke the PHP function: The server's emd_delete_file() handler reads $_POST['path'], assigns it to $sess_name, and calls $sess_name(), executing the specified PHP function (e.g., phpinfo()) and returning its output.
  5. Harvest information or cause impact: Review the server response for sensitive configuration data (PHP version, loaded modules, environment variables, credentials in $_ENV), or invoke other zero-argument destructive functions to impact availability or integrity (GitHub Advisory, Wordfence).

Indicateurs de compromis

  • Network: Unexpected POST requests to wp-admin/admin-ajax.php with action=emd_delete_file from unauthenticated (non-logged-in) sources; unusual outbound connections from the web server following such requests.
  • Logs: Web server access logs showing POST requests to admin-ajax.php with action=emd_delete_file and a path parameter containing PHP function names (e.g., phpinfo, phpversion, ob_start); repeated requests from the same IP probing different function names.
  • File System: Unexpected new files written to the WordPress installation directory or /tmp if a destructive function with side effects was invoked.
  • Process: Unusual PHP child processes or system calls spawned from the web server process following AJAX requests to the vulnerable endpoint.

Atténuation et solutions de contournement

Update the "Request a Quote" plugin to a version newer than 2.5.5, which contains the patch addressing this vulnerability (changeset available in the WordPress plugin repository). As an interim workaround, consider disabling the plugin until the update can be applied, or implement Web Application Firewall (WAF) rules to block POST requests to admin-ajax.php with action=emd_delete_file from unauthenticated users. Review server logs for any prior exploitation attempts targeting this endpoint (GitHub Advisory, Wordfence).

Réactions de la communauté

The vulnerability was assigned and disclosed by Wordfence, which maintains a threat intelligence database entry for this CVE. No notable independent researcher commentary, social media discussion, or broader media coverage has been identified at this time, consistent with the recency of the disclosure and the absence of a public PoC (Wordfence).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté WordPress Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-5821HIGH8.1
  • image-optimization
NonOuiJul 02, 2026
CVE-2026-14249HIGH7.5
  • request-a-quote
NonOuiJul 02, 2026
CVE-2026-13704MEDIUM6.4
  • give
NonOuiJul 02, 2026
CVE-2026-5348MEDIUM5.3
  • academy
NonOuiJul 02, 2026
CVE-2026-13357MEDIUM4.9
  • houzez-property-feed
NonOuiJul 02, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités