Triple Threat Bug Bounty Challenge Date: Now through April 6, 2026 Bonuses: - 2x all high threat vulnerability bounties (excluding 5,000,000+ installs) - +30% bonus for high threat vulnerabilities in software with 30,000+ active installs (excluding 5,000,000+ installs) - $300 extra for every 3 High Threat vulnerabilities submitted (minimum of 1,000 installs) Vulnerability Details for Dealia - Request a quote Description CVE: CVE-2026-2504 CVSS: 4.3 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Publicly Published: February 18, 2026 Last Updated: February 19, 2026 Researcher: Ronnachai Sretawat Na Ayutaya (Simonhaskell) - Reconix Co., Ltd. Vulnerability Information Missing Authorization: The Dealia - Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.6. Affected Versions: <= 1.0.6 Admin Nonce Vulnerability: The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php. AJAX Handlers Vulnerability: AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). Exploitability: Authenticated attackers with Contributor-level access and above can reset the plugin configuration. References plugins.trac.wordpress.org Status Patched?: No Remediation: No known patch available. Uninstall the affected software and find a replacement.