LTL Freight Quotes – Worldwide Express Edition <= 5.2.1 - Missing Authorization
Description
The LTL Freight Quotes – Worldwide Express Edition plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.2.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=5.2.1What Changed in the Fix
Changes introduced in v5.2.2
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-34899 ## 1. Vulnerability Summary The **LTL Freight Quotes – Worldwide Express Edition** plugin (<= 5.2.1) is vulnerable to **Missing Authorization**. The function `EnSpeedfreightVa::get_va_coupon_data` in `fdo/en-va.php` lacks a sufficient capability check (…
Show full research plan
Exploitation Research Plan - CVE-2026-34899
1. Vulnerability Summary
The LTL Freight Quotes – Worldwide Express Edition plugin (<= 5.2.1) is vulnerable to Missing Authorization. The function EnSpeedfreightVa::get_va_coupon_data in fdo/en-va.php lacks a sufficient capability check (or the check is bypassable/missing in version 5.2.1) and is exposed via a WordPress AJAX action. This allows unauthenticated attackers to trigger an API synchronization process that updates the WordPress database (update_option) and discloses sensitive promotional data, including coupons and registration URLs.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
get_va_coupon_data(inferred from method name) orwwe_get_va_coupon_data. - Method:
POSTorGET. - Authentication: None required (vulnerable via
wp_ajax_nopriv_registration). - Preconditions: The WordPress option
en_va_coupon_datashould be empty (default state) for theupdate_optionside effect to trigger.
3. Code Flow
- Entry Point: An unauthenticated user sends a request to
admin-ajax.phpwith theactionparameter set to the hook associated withget_va_coupon_data. - Hook Execution: WordPress executes the callback registered to
wp_ajax_nopriv_[action], which maps toEnSpeedfreightVa::get_va_coupon_data(). - Vulnerable Function (
fdo/en-va.php):get_va_coupon_data()is called.- In the vulnerable version (5.2.1), the
current_user_can('manage_options')check is either missing or bypassed. - The function checks if
get_option('en_va_coupon_data')is empty. - If empty, it calls
$this->get_va_coupon_data_from_api(). get_va_coupon_data_from_api()makes an outbound request tohttps://validate-addresses.com/use_coupon.- The response is decoded, and if a
promokey exists,update_option('en_va_coupon_data', $va_coupon_data)is called.
- Information Disclosure: The function then calls
$this->get_va_coupon_parsed_data($va_coupon_data), which returns an array containingcoupon,status, andregister_url. This data is then echoed back to the attacker (usually as JSON).
4. Nonce Acquisition Strategy
Based on the provided source for fdo/en-va.php, the get_va_coupon_data function does not perform any nonce verification (e.g., check_ajax_referer or wp_verify_nonce).
Exploitation does not require a nonce.
5. Exploitation Strategy
Step 1: Confirm AJAX Action
The researcher should first identify the exact AJAX action string.
# Search for the AJAX registration in the plugin directory
grep -r "get_va_coupon_data" /var/www/html/wp-content/plugins/ltl-freight-quotes-worldwide-express-edition/
Expected output: Look for add_action('wp_ajax_nopriv_...', ...) or similar. We will assume the action is get_va_coupon_data.
Step 2: Trigger Unauthorized Sync/Disclosure
Perform an unauthenticated request to the AJAX endpoint.
Request:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
action=get_va_coupon_data
Step 3: Analyze Response
A successful exploit will return a JSON object containing coupon information.
{
"coupon": "PROMO123",
"status": 1,
"va_user": false,
"va_company_id": false,
"va_company_text": "",
"register_url": "https:\/\/validate-addresses.com\/register?code=...",
"login_url": "https:\/\/validate-addresses.com\/login?code=..."
}
6. Test Data Setup
- Install and activate LTL Freight Quotes – Worldwide Express Edition 5.2.1.
- Ensure no configuration has been performed (the option
en_va_coupon_datashould be non-existent or empty). - Optionally, verify the option state via WP-CLI:
Result: "Error: Could not find 'en_va_coupon_data' option."wp option get en_va_coupon_data
7. Expected Results
- The
admin-ajax.phprequest returns a JSON response containing the coupon data fetched from the Eniture API. - The WordPress database is modified: the
en_va_coupon_dataoption is populated with the API response. - No authentication or nonces are required.
8. Verification Steps
After sending the HTTP request, verify the database state using WP-CLI:
# Check if the option was created/updated
wp option get en_va_coupon_data
Expected Result: A JSON string containing promotional data.
9. Alternative Approaches
If the direct get_va_coupon_data action name is incorrect, search woocommercefrieght.php for any add_action calls that reference the EnSpeedfreightVa class or the fdo/en-va.php file.
If the site is already configured (option not empty), the update_option call will not trigger, but the Information Disclosure (returning the existing coupon data) will still occur, which is sufficient to demonstrate the Missing Authorization vulnerability.
Summary
The LTL Freight Quotes – Worldwide Express Edition plugin for WordPress is vulnerable to unauthorized access because it exposes internal coupon synchronization logic via an AJAX action without sufficient capability checks or nonce verification. This allows unauthenticated attackers to disclose sensitive promotional data and trigger unauthorized updates to the plugin's configuration in the database.
Vulnerable Code
// fdo/en-va.php /** * Fuction which is responsible to return va coupon data */ public function get_va_coupon_data(){ if (!current_user_can('manage_options')) { echo json_encode([]); return; } $va_coupon_data = get_option('en_va_coupon_data'); if(empty($va_coupon_data)){ try{ $va_coupon_data = $this->get_va_coupon_data_from_api(); $data_decoded = json_decode($va_coupon_data); if(isset($data_decoded->promo)){ update_option('en_va_coupon_data', $va_coupon_data); }else{ return []; } }catch(Exception $e){ return []; } } return $this->get_va_coupon_parsed_data($va_coupon_data); }
Security Fix
Only in /home/deploy/wp-safety.org/data/plugin-versions/ltl-freight-quotes-worldwide-express-edition/5.2.1: en-hit-to-update-plan.php Only in /home/deploy/wp-safety.org/data/plugin-versions/ltl-freight-quotes-worldwide-express-edition/5.2.1/fdo: en-va.php @@ -3,7 +3,7 @@ Tags: eniture. worldwide express,LTL freight rates, LTL freight quotes,shipping rates Requires at least: 6.4 Tested up to: 6.9 -Stable tag: 5.2.1 +Stable tag: 5.2.2 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -168,6 +168,9 @@ == Changelog == += 5.2.2 - 2026-03-03 = +* Fix: Resolved Broken Access Control vulnerability to improve overall plugin security. + = 5.2.1 - 2026-03-02 = * Fix: Resolved JS files minification conflict with the WP Rocket plugin to ensure compatibility with asset optimization. @@ -5,7 +5,7 @@ Description: Obtains a dynamic estimate of LTL Freight rates via the Worldwide Express Speedfreight API for your orders. Author: Eniture Technology Author URI: https://eniture.com/ - Version: 5.2.1 + Version: 5.2.2 Text Domain: eniture-technology License: GPLv2 or later Requires Plugins: woocommerce
Exploit Outline
To exploit this vulnerability, an attacker identifies the AJAX action responsible for fetching coupon data (e.g., `get_va_coupon_data` or `wwe_get_va_coupon_data`). Because the function is registered via `wp_ajax_nopriv_` and lacks valid authorization or nonce checks in the affected versions, the attacker sends an unauthenticated POST request to `/wp-admin/admin-ajax.php` with the corresponding `action` parameter. The server then executes `get_va_coupon_data`, which contacts the Eniture API, updates the `en_va_coupon_data` WordPress option if it is empty, and returns a JSON object containing the coupon code, registration URLs, and other promotional metadata to the attacker.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.