{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3646", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-06T16:20:57.630Z", "datePublished": "2026-04-08T03:36:10.023Z", "dateUpdated": "2026-04-08T18:44:13.532Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:22.661Z"}, "affected": [{"vendor": "enituretechnology", "product": "LTL Freight Quotes \u2013 R+L Carriers Edition", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LTL Freight Quotes \u2013 R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that directly processes GET parameters and updates WordPress options. This makes it possible for unauthenticated attackers to modify the plugin's subscription plan settings, effectively downgrading the store from a paid plan to the Trial Plan, changing the store type, and manipulating subscription expiration dates, potentially disabling premium features such as Dropship and Hazardous Material handling."}], "title": "LTL Freight Quotes \u2013 R+L Carriers Edition <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a144c9ae-dfdb-4ea2-8c27-84d59439c72a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L40"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L40"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L43"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L43"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L49"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L49"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L32"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3492361%40ltl-freight-quotes-rl-edition&new=3492361%40ltl-freight-quotes-rl-edition&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Phong Nguyen"}], "timeline": [{"time": "2026-03-06T16:36:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T15:25:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:43:15.574824Z", "id": "CVE-2026-3646", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:44:13.532Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LTL Freight Quotes \u2013 R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that directly processes GET parameters and updates WordPress options. This makes it possible for unauthenticated attackers to modify the plugin's subscription plan settings, effectively downgrading the store from a paid plan to the Trial Plan, changing the store type, and manipulating subscription expiration dates, potentially disabling premium features such as Dropship and Hazardous Material handling."}], "id": "CVE-2026-3646", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T05:16:06.130", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L32"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L33"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L40"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L43"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L46"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L49"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L32"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L33"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L40"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L43"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L46"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L49"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3492361%40ltl-freight-quotes-rl-edition&new=3492361%40ltl-freight-quotes-rl-edition&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a144c9ae-dfdb-4ea2-8c27-84d59439c72a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.13]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "LTL Freight Quotes \u2013 R+L Carriers Edition", "source": "cna", "vendor": "enituretechnology"}, "product": "ltl_freight_quotes_\u2013_r+l_carriers_edition", "vendor": "enituretechnology"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T05:20:53.086258+00:00", "value": {"mitigation_remediation": ["Update the LTL Freight Quotes \u2013 R+L Carriers Edition plugin to version 3.3.14 or later. ", "If the update cannot be applied immediately, restrict access to the webhook script via web\u2011server configuration or disable it in the plugin settings. ", "Monitor WordPress configuration options for unauthorized changes. ", "If the plugin is no longer required, uninstall it completely."], "summary": {"action": "Apply Patch", "impact": "Unauthorized configuration changes leading to loss of premium features"}, "threat_synthesis": {"affected_systems": "The issue affects Eniture Technology\u2019s LTL Freight Quotes \u2013 R+L Carriers Edition WordPress plugin, any installation of version 3.3.13 or earlier. The plugin is deployed on WordPress sites that provide freight quote services.", "description_and_impact": "The vulnerability arises from missing authorization checks in the plugin\u2019s webhook handler, allowing any visitor to send GET requests to a standalone PHP file that updates WordPress options. Because no authentication, authorization, or nonce verification is performed, an attacker can change the subscription plan, downgrade the service, and alter expiration dates. The consequence is loss of paid features such as Dropship and Hazardous Material handling, potentially disrupting operations. This reflects a CWE\u2011862 missing authorization weakness.", "risk_and_exploitability": "The plugin\u2019s vulnerability scores a CVSS of 5.3, indicating medium risk. The EPSS score is not provided, and the vulnerability is not included in CISA\u2019s KEV catalog. Attackers can exploit it by making unauthenticated HTTP GET requests to the vulnerable script, which then writes configuration changes to WordPress. Because the exploit does not require privileged access or authentication, the risk is potentially higher for any site that does not restrict access to the script, allowing an attacker to downgrade a store and disable premium functionality."}}}}, "created": "2026-04-08T19:33:23.688080+00:00", "updated": "2026-04-08T19:43:59.725167+00:00", "vendors": ["enituretechnology", "enituretechnology$PRODUCT$ltl_freight_quotes_\u2013_r+l_carriers_edition", "wordpress", "wordpress$PRODUCT$wordpress"]}