EUVD-2026-20042
GHSA-5cr3-m7xx-pv5v
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Description
The LTL Freight Quotes - R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that directly processes GET parameters and updates WordPress options. This makes it possible for unauthenticated attackers to modify the plugin's subscription plan settings, effectively downgrading the store from a paid plan to the Trial Plan, changing the store type, and manipulating subscription expiration dates, potentially disabling premium features such as Dropship and Hazardous Material handling.
Analysis
Unauthenticated attackers can modify LTL Freight Quotes - R+L Carriers Edition plugin subscription settings via a webhook handler with missing authorization controls in all versions up to 3.3.13. The vulnerability allows downgrading paid subscriptions to trial plans, changing store type, and manipulating expiration dates, effectively disabling premium features like Dropship and Hazardous Material handling. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today