CVE-2024-13480: 
WordPress vulnerability analysis and mitigation

The LTL Freight Quotes – For Customers of FedEx Freight WordPress plugin contains a SQL Injection vulnerability (CVE-2024-13480) discovered by Colin Xu and publicly disclosed on February 11, 2025. The vulnerability affects all versions up to and including 3.4.1 of the plugin (WPScan, NVD).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 base score of 7.5 (High). The security flaw exists in the 'editid' and 'dropshipedit_id' parameters due to insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. The vulnerability has received a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Wordfence).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing ones, potentially leading to the extraction of sensitive information from the database (NVD).

The vulnerability has been patched in version 3.4.2 of the plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).