CVE-2026-2718 is a stored cross-site scripting vulnerability identified in the Dealia – Request a Quote plugin for WordPress, affecting all versions up to and including 1.0.6. The root cause is the improper neutralization of input during web page generation, specifically the use of the wp_kses() function for output escaping within HTML attribute contexts where esc_attr() is the appropriate function. This misuse allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into Gutenberg block attributes. Because the injected scripts are stored and rendered whenever a page is accessed, any user visiting the compromised page will execute the malicious script in their browser context. This can lead to theft of session cookies, privilege escalation, or other malicious actions. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has a CVSS v3.1 base score of 6.4, reflecting medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability is significant due to the wide use of WordPress and the plugin’s functionality. The issue stems from a developer error in escaping output in HTML attributes, which is a common source of XSS vulnerabilities. The plugin’s reliance on wp_kses(), which is designed for filtering HTML content but not for escaping attribute values, results in insufficient sanitization. Proper mitigation requires replacing wp_kses() with esc_attr() in the affected code paths. Since the vulnerability requires authenticated access at Contributor level or above, it limits exploitation to users with some level of trust, but this is a common permission level in many WordPress sites. The vulnerability allows attackers to persistently inject scripts that can affect any user viewing the page, including administrators.

The impact of CVE-2026-2718 is primarily on the confidentiality and integrity of affected WordPress sites using the Dealia – Request a Quote plugin. Successful exploitation allows an attacker with Contributor-level access to inject persistent malicious scripts that execute in the browsers of any users visiting the infected pages. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, defacement, or further malware distribution. While availability is not directly impacted, the reputational damage and potential data breaches can be severe. Organizations relying on this plugin for quote requests may face customer trust issues and compliance risks if user data is compromised. The vulnerability’s requirement for authenticated access reduces the attack surface but does not eliminate risk, especially in environments with multiple contributors or weak user management. Since WordPress powers a significant portion of websites globally, and plugins like Dealia are used in various industries, the scope of affected systems is broad. The lack of known exploits in the wild currently reduces immediate risk but does not preclude future attacks. Overall, the vulnerability poses a medium risk that can escalate if combined with other vulnerabilities or social engineering.

To mitigate CVE-2026-2718, organizations should immediately update the Dealia – Request a Quote plugin to a version that addresses this vulnerability once available. If no patch is currently released, manual code review and modification should be performed to replace wp_kses() with esc_attr() for output escaping in HTML attribute contexts within Gutenberg blocks. Additionally, restrict Contributor-level permissions to trusted users only and audit existing user roles to minimize the risk of malicious insiders. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting this plugin. Regularly scan the website for injected scripts or anomalous content in pages using the plugin. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Monitor logs for suspicious activities related to content editing or user actions at Contributor level or above. Educate site administrators and contributors about the risks of XSS and safe content practices. Finally, maintain regular backups to enable quick restoration if compromise occurs.