CVE-2025-24664

Vulnerability

Details

The LTL Freight Quotes – Worldwide Express Edition plugin for WordPress, developed by enituretechnology, contains an SQL Injection vulnerability in versions up to and including 5.0.20. The issue arises from improper neutralization of special elements used in an SQL command, allowing attackers to inject arbitrary SQL queries. This vulnerability is classified as Critical with a CVSS score of 9.3, indicating severe risk [1].

Exploitation

Exploitation does not require authentication, making the attack surface broad. An attacker can send crafted HTTP requests to vulnerable endpoints to inject malicious SQL statements. The vulnerability is expected to be exploited in mass campaigns targeting thousands of websites regardless of traffic size or popularity [1].

Impact

Successful exploitation allows an attacker to interact with the WordPress database directly, potentially stealing sensitive information such as user credentials, personal data, or other stored content. The attacker could also modify or delete database entries, leading to further compromise of the site [1].

Mitigation

The vendor has released version 5.0.21 to patch the vulnerability. Users are strongly advised to update immediately. Patchstack also provides a mitigation rule to block attacks until the update is applied. If unable to update, consulting a hosting provider or web developer is recommended [1].