CVE-2025-24664
Published: 27 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-24664 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the LTL Freight Quotes – Worldwide Express Edition WordPress plugin (ltl-freight-quotes-worldwide-express-edition) developed by enituretechnology. This issue impacts all versions of the plugin from n/a through 5.0.20. The vulnerability has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.
Unauthenticated attackers can exploit this SQL Injection vulnerability remotely over the network without user interaction. Exploitation enables high confidentiality impact through unauthorized access to sensitive data in the database, alongside low availability impact, with a scope change that extends the attack surface beyond the vulnerable component.
The Patchstack advisory provides details on mitigation at https://patchstack.com/database/Wordpress/Plugin/ltl-freight-quotes-worldwide-express-edition/vulnerability/wordpress-ltl-freight-quotes-plugin-5-0-20-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in a public-facing WordPress plugin enables remote unauthenticated exploitation of the web application.