Attack Vectors

CVE-2026-2718 affects the Dealia – Request a Quote WordPress plugin (slug: dealia-request-a-quote) in versions up to and including 1.0.8. This is a Medium-severity issue (CVSS 6.4, vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).

The attack requires an authenticated WordPress account with Contributor-level access or higher. An attacker can place malicious script content into Gutenberg block attributes used on pages/posts. Because it is a stored cross-site scripting (XSS) issue, the malicious code can execute whenever someone views the affected page—without requiring the visitor to click anything.

Security Weakness

The root cause is improper escaping in an HTML attribute context. The plugin uses wp_kses() when output is placed into HTML attributes, where esc_attr() is required. This can allow attacker-controlled content to break out of the intended attribute and run arbitrary scripts in the browser.

Wordfence’s vulnerability entry indicates there is no known patch available at this time. Source: Wordfence Threat Intel. Official CVE record: CVE-2026-2718.

Technical or Business Impacts

Stored XSS is often a “business-impact multiplier” because it runs in the context of your site and can affect high-value audiences (prospects, customers, partners, and employees). For marketing and revenue teams, this can translate into diverted leads, altered calls-to-action, invisible redirects, or injected content that damages campaign performance and brand trust.

Potential impacts include: session or account misuse for logged-in users, unauthorized changes to on-page messaging, lead-capture interference (including “request a quote” journeys), and reputational harm if visitors see unexpected pop-ups or malicious redirects. Compliance and privacy teams may also need to consider whether any user data exposure occurred, depending on what scripts were injected and who visited impacted pages.

Given the lack of a known patch, many organizations will treat this as an operational risk decision. Common mitigations include removing/uninstalling the affected plugin and replacing it, restricting Contributor access (especially for untrusted or external accounts), reviewing pages/posts that use Dealia Gutenberg blocks, and increasing monitoring for unexpected content changes.

Similar Attacks

Stored XSS has repeatedly been used to hijack trust on legitimate websites and execute scripts for visitors at scale. A relevant example is a stored XSS issue previously addressed in WordPress core: CVE-2019-9787.