CVE-2024-13479 in LTL Freight Quotes Plugininfo

Summary

by MITRE • 02/19/2025

The LTL Freight Quotes – SEFL Edition plugin for WordPress is vulnerable to SQL Injection via the 'dropship_edit_id' and 'edit_id' parameters in all versions up to, and including, 3.2.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 02/19/2025

The vulnerability identified as CVE-2024-13479 affects the LTL Freight Quotes – SEFL Edition plugin for WordPress, specifically targeting versions up to and including 3.2.4. This represents a critical security flaw that exposes the plugin to unauthorized SQL injection attacks. The vulnerability stems from inadequate input validation and sanitization mechanisms within the plugin's codebase, creating an exploitable condition that allows attackers to manipulate database queries through carefully crafted input parameters.

The technical flaw manifests through the 'dropship_edit_id' and 'edit_id' parameters which are directly incorporated into SQL queries without proper escaping or parameterization. This lack of input sanitization creates a direct pathway for attackers to inject malicious SQL code into existing database operations. The vulnerability is classified as a classic SQL injection issue where user-supplied data is concatenated directly into SQL statements rather than being properly parameterized or escaped. According to CWE-89, this represents a well-known weakness in database query construction that enables attackers to manipulate the intended behavior of SQL commands.

The operational impact of this vulnerability extends beyond simple data theft, as unauthenticated attackers can leverage the SQL injection to extract sensitive information from the WordPress database. This includes but is not limited to user credentials, customer data, plugin configurations, and potentially administrative access credentials. The vulnerability's severity is amplified by its unauthenticated nature, meaning attackers do not require valid login credentials to exploit the flaw. The attack surface is particularly concerning as it affects a widely used plugin that likely handles sensitive freight quote information and business data for transportation companies.

Security professionals should note that this vulnerability aligns with ATT&CK technique T1213.002 which involves data from information repositories. The exploitation process would likely involve crafting malicious payloads targeting the specific parameters, then executing the injected SQL commands to extract or modify database contents. Organizations using this plugin should immediately implement mitigations including updating to the latest version, implementing web application firewalls, and conducting comprehensive security audits of their WordPress installations. The vulnerability demonstrates the critical importance of proper input validation and parameterized queries in preventing database-related attacks, particularly in commercial plugins that handle sensitive business information.

Responsible

Wordfence

Reservation

01/16/2025

Disclosure

02/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00736

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!