CVE-2024-13490: 
WordPress vulnerability analysis and mitigation

The LTL Freight Quotes – XPO Edition plugin for WordPress contains an SQL Injection vulnerability (CVE-2024-13490) that affects all versions up to and including 4.3.7. The vulnerability was discovered and reported by Wordfence, with initial disclosure on February 12, 2025 (NVD CVE).

The vulnerability exists due to insufficient escaping of user-supplied parameters 'edit_id' and 'dropship_edit_id' and lack of proper SQL query preparation. This security flaw allows unauthenticated attackers to append additional SQL queries to existing queries. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD CVE).

The vulnerability enables attackers to extract sensitive information from the database through SQL injection techniques. The CVSS score indicates high impact on confidentiality while maintaining no direct impact on integrity or availability of the system (NVD CVE).

A patch has been released to address this vulnerability. Users are advised to update their LTL Freight Quotes – XPO Edition plugin to a version newer than 4.3.7 (WordPress Patch).