
PEACH
Un cadre d’isolation des locataires
CVE-2026-14249 is a code injection vulnerability in the "Request a Quote – Quote Forms for Any WordPress Site" plugin by emarket-design, affecting versions up to and including 2.5.5. The flaw allows unauthenticated remote attackers to invoke arbitrary zero-argument PHP functions on the server via the emd_delete_file AJAX action. It was published and disclosed on July 2, 2026, with a patch made available the same day. The vulnerability carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Wordfence).
The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-94 (Code Injection). The emd_delete_file() handler reads the attacker-controlled $_POST['path'] parameter, derives a PHP function name from it, and invokes it dynamically using PHP's variable-function call syntax ($sess_name()). While the handler is registered under wp_ajax_nopriv (accessible to unauthenticated users) and protected by a nonce, the nonce is publicly exposed on the quote-form page via wp_localize_script, rendering the protection ineffective. This allows any unauthenticated network attacker to call arbitrary zero-argument PHP built-in functions such as phpinfo(), phpversion(), or potentially destructive functions (GitHub Advisory, Wordfence).
Successful exploitation allows unauthenticated attackers to invoke arbitrary zero-argument PHP functions on the server, which can expose sensitive server configuration details and credentials (e.g., via phpinfo()), or trigger destructive built-in PHP functions that compromise system integrity. The primary impact is high integrity risk, with potential secondary confidentiality exposure through information disclosure of server environment variables, PHP configuration, and loaded extensions. While the vulnerability is constrained to zero-argument functions (limiting direct remote code execution to arbitrary commands), it can still facilitate reconnaissance and further exploitation of the affected WordPress environment (GitHub Advisory, Wordfence).
/wp-content/plugins/request-a-quote/ for version indicators.wp_localize_script, making it readable from the page source or browser developer tools./?action=emd_delete_file (or the site's AJAX endpoint, typically wp-admin/admin-ajax.php), setting the action parameter to emd_delete_file, the nonce parameter to the extracted nonce value, and the path parameter to the name of the target PHP function (e.g., phpinfo).emd_delete_file() handler reads $_POST['path'], assigns it to $sess_name, and calls $sess_name(), executing the specified PHP function (e.g., phpinfo()) and returning its output.$_ENV), or invoke other zero-argument destructive functions to impact availability or integrity (GitHub Advisory, Wordfence).wp-admin/admin-ajax.php with action=emd_delete_file from unauthenticated (non-logged-in) sources; unusual outbound connections from the web server following such requests.admin-ajax.php with action=emd_delete_file and a path parameter containing PHP function names (e.g., phpinfo, phpversion, ob_start); repeated requests from the same IP probing different function names./tmp if a destructive function with side effects was invoked.Update the "Request a Quote" plugin to a version newer than 2.5.5, which contains the patch addressing this vulnerability (changeset available in the WordPress plugin repository). As an interim workaround, consider disabling the plugin until the update can be applied, or implement Web Application Firewall (WAF) rules to block POST requests to admin-ajax.php with action=emd_delete_file from unauthenticated users. Review server logs for any prior exploitation attempts targeting this endpoint (GitHub Advisory, Wordfence).
The vulnerability was assigned and disclosed by Wordfence, which maintains a threat intelligence database entry for this CVE. No notable independent researcher commentary, social media discussion, or broader media coverage has been identified at this time, consistent with the recency of the disclosure and the absence of a public PoC (Wordfence).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."