CVE-2025-58643: 
WordPress vulnerability analysis and mitigation

The CVE-2025-58643 is a Deserialization of Untrusted Data vulnerability discovered in enituretechnology's LTL Freight Quotes – Daylight Edition WordPress plugin, affecting versions up to and including 2.2.7. The vulnerability was disclosed on September 3, 2025, and allows for PHP Object Injection (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.2 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The attack vector is network-based, with low attack complexity, requiring high privileges, and no user interaction. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) (AttackerKB, Rapid7).

The vulnerability could allow authenticated attackers with administrator-level access to inject a PHP Object. While no known POP (Property-Oriented Programming) chain is present in the vulnerable software, if a POP chain exists via additional plugins or themes on the target system, it could enable attackers to delete arbitrary files, retrieve sensitive data, or execute code (Rapid7).

The vulnerability has been patched in version 2.2.8 of the LTL Freight Quotes – Daylight Edition plugin. Users are advised to update to version 2.2.8 or later to remove the vulnerability (Patchstack).