CVE-2025-22290
Published: 16 February 2025
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology LTL Freight Quotes – FreightQuote Edition ltl-freight-quotes-freightquote-edition allows SQL Injection.This issue affects LTL Freight Quotes – FreightQuote Edition: from n/a through <= 2.3.11.
Security Summary
CVE-2025-22290, published on 2025-02-16, is an SQL Injection vulnerability (CWE-89) in the WordPress plugin LTL Freight Quotes – FreightQuote Edition by enituretechnology, with the slug ltl-freight-quotes-freightquote-edition. The flaw stems from improper neutralization of special elements used in an SQL command and affects all versions of the plugin up to and including 2.3.11. It carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), indicating critical severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.
Unauthenticated remote attackers can exploit this vulnerability over the network to inject and execute arbitrary SQL commands. Exploitation enables high-impact confidentiality violations, such as extracting sensitive data from the database, alongside low availability disruption, with the changed scope amplifying potential effects across the application's security context.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ltl-freight-quotes-freightquote-edition/vulnerability/wordpress-ltl-freight-quotes-freightquote-edition-plugin-2-3-11-sql-injection-vulnerability?_s_id=cve details the vulnerability and should be consulted for mitigation guidance.
Details
- CWE(s)