CVE-2026-34899

Vulnerability

Overview

The LTL Freight Quotes – Worldwide Express Edition plugin for WordPress versions up to and including 5.2.1 contains a missing authorization vulnerability [1]. This issue stems from an incorrectly configured access control security level, which fails to properly verify permissions before executing certain functions [1].

Exploitation

This vulnerability can be exploited by an attacker without needing any prior authentication or privileges [1]. The broken access control allows unprivileged users to execute actions that should only be available to higher-privileged users [1]. While considered low severity, such vulnerabilities are reportedly used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation could enable an attacker to perform unauthorized actions within the plugin's functionality, potentially leading to data exposure or configuration changes [1]. The exact impact depends on which specific actions become accessible.

Mitigation

The vulnerability has been patched in version 5.2.2 [1]. Users are strongly advised to update immediately [1]. For those unable to update, contacting a hosting provider or web developer is recommended [1]. Patchstack users can enable auto-updates for vulnerable plugins [1].