Plataforma
wordpress
Componente
ltl-freight-quotes-worldwide-express-edition
Corregido en
5.0.21
CVE-2025-24664 describes a SQL Injection vulnerability discovered in enituretechnology's LTL Freight Quotes – Worldwide Express Edition plugin for WordPress. This flaw allows unauthorized access and potential modification of data within the database. The vulnerability impacts versions from 0.0.0 through 5.0.20, and a patch is available in version 5.0.21.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the database associated with the LTL Freight Quotes plugin. This includes the ability to read, modify, or delete sensitive data such as customer information, shipment details, and financial records. An attacker could potentially gain access to user credentials stored in the database, enabling them to compromise other systems or accounts. The blast radius extends to any system or application that relies on the compromised database, potentially leading to significant data breaches and operational disruptions. While no direct precedent is immediately obvious, SQL Injection vulnerabilities are frequently exploited for data exfiltration and privilege escalation.
CVE-2025-24664 was publicly disclosed on January 27, 2025. The vulnerability's severity is classified as CRITICAL with a CVSS score of 9.3. Currently, there are no known active campaigns targeting this specific vulnerability, and no public proof-of-concept exploits have been released. It is not listed on the CISA KEV catalog at the time of this writing.
WordPress websites utilizing the LTL Freight Quotes – Worldwide Express Edition plugin, particularly those running versions 0.0.0 through 5.0.20, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "SELECT * FROM" /var/www/html/wp-content/plugins/ltl-freight-quotes-worldwide-express-edition/• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/ltl-freight-quotes-worldwide-express-edition/?param='; # Check for SQL errors in response headers• wordpress / composer / npm:
wp plugin list | grep ltl-freight-quotes-worldwide-express-edition # Check installed versiondisclosure
Estado del Exploit
EPSS
0.07% (21% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-24664 is to immediately upgrade the LTL Freight Quotes – Worldwide Express Edition plugin to version 5.0.21 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the vulnerable endpoints. Specifically, look for patterns indicative of SQL injection attempts, such as the presence of single quotes, double quotes, semicolons, or SQL keywords in user-supplied input. Additionally, review and restrict database user permissions to limit the potential damage from a successful attack. After upgrading, confirm the fix by attempting a SQL injection attack on the vulnerable endpoint and verifying that it is properly blocked.
Actualice el plugin LTL Freight Quotes – Worldwide Express Edition a la última versión disponible para solucionar la vulnerabilidad de inyección SQL. Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de realizar cualquier actualización.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-24664 is a critical SQL Injection vulnerability affecting the LTL Freight Quotes – Worldwide Express Edition WordPress plugin, allowing attackers to potentially access and manipulate the database.
You are affected if you are using LTL Freight Quotes – Worldwide Express Edition versions 0.0.0 through 5.0.20. Upgrade immediately.
Upgrade the LTL Freight Quotes – Worldwide Express Edition plugin to version 5.0.21 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention and remediation.
Refer to the enituretechnology website and WordPress plugin repository for the official advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.