Platform
wordpress
Component
ltl-freight-quotes-worldwide-express-edition
Fixed in
5.0.21
CVE-2025-24664 describes a SQL Injection vulnerability discovered in enituretechnology's LTL Freight Quotes – Worldwide Express Edition plugin for WordPress. This flaw allows unauthorized access and potential modification of data within the database. The vulnerability impacts versions from 0.0.0 through 5.0.20, and a patch is available in version 5.0.21.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the database associated with the LTL Freight Quotes plugin. This includes the ability to read, modify, or delete sensitive data such as customer information, shipment details, and financial records. An attacker could potentially gain access to user credentials stored in the database, enabling them to compromise other systems or accounts. The blast radius extends to any system or application that relies on the compromised database, potentially leading to significant data breaches and operational disruptions. While no direct precedent is immediately obvious, SQL Injection vulnerabilities are frequently exploited for data exfiltration and privilege escalation.
CVE-2025-24664 was publicly disclosed on January 27, 2025. The vulnerability's severity is classified as CRITICAL with a CVSS score of 9.3. Currently, there are no known active campaigns targeting this specific vulnerability, and no public proof-of-concept exploits have been released. It is not listed on the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-24664 is to immediately upgrade the LTL Freight Quotes – Worldwide Express Edition plugin to version 5.0.21 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the vulnerable endpoints. Specifically, look for patterns indicative of SQL injection attempts, such as the presence of single quotes, double quotes, semicolons, or SQL keywords in user-supplied input. Additionally, review and restrict database user permissions to limit the potential damage from a successful attack. After upgrading, confirm the fix by attempting a SQL injection attack on the vulnerable endpoint and verifying that it is properly blocked.
Update the LTL Freight Quotes – Worldwide Express Edition plugin to the latest available version to resolve the SQL Injection vulnerability. Check the plugin page on WordPress.org for the latest version and update instructions. Ensure you perform a full backup of your website before performing any updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-24664 is a critical SQL Injection vulnerability affecting the LTL Freight Quotes – Worldwide Express Edition WordPress plugin, allowing attackers to potentially access and manipulate the database.
You are affected if you are using LTL Freight Quotes – Worldwide Express Edition versions 0.0.0 through 5.0.20. Upgrade immediately.
Upgrade the LTL Freight Quotes – Worldwide Express Edition plugin to version 5.0.21 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention and remediation.
Refer to the enituretechnology website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.