CVE-2025-1483 - Vulnerability Details

- LTL Freight Quotes – GlobalTranz Edition <= 2.3.12 - Missing Authorization to Unauthenticated Settings Update

Description

The LTL Freight Quotes – GlobalTranz Edition plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engtz_wd_save_dropship AJAX endpoint in all versions up to, and including, 2.3.12. This makes it possible for unauthenticated attackers to update the drop shipping settings.

Published: 2025-02-20

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The LTL Freight Quotes – GlobalTranz Edition WordPress plugin contains a missing capability check on the engtz_wd_save_dropship AJAX endpoint, allowing anyone with access to the site to modify drop shipping settings without authentication. This flaw, classified as Unauthorized Access Control (CWE-862), could enable attackers to alter shipping rates, routes, or other configuration data, potentially leading to financial loss or service disruption.

Affected Systems

All installations of the Eniture Technology LTL Freight Quotes – GlobalTranz Edition plugin up to and including version 2.3.12 are affected. The product runs within WordPress environments and is identified by the package name used by the plugin author.

Risk and Exploitability

The vulnerability receives a CVSS score of 5.3, indicating moderate severity, and an EPSS score of less than 1%, meaning exploitation is considered unlikely at present. It is not listed in the CISA KEV catalog. Attackers can exploit the flaw by simply sending requests to the unprotected AJAX endpoint from any location with access to the site, without needing valid credentials or elevated privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

enituretechnology

LTL Freight Quotes – GlobalTranz Edition

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.3.12

Configuration 1 [-]

cpe:2.3:a:wwexgroup:ltl_freight_quotes:*:*:*:*:globaltranz:wordpress:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the LTL Freight Quotes – GlobalTranz Edition plugin to the latest available version (>= 2.3.13) which includes the missing capability check.
If an immediate upgrade is not possible, block unauthenticated access to the engtz_wd_save_dropship AJAX endpoint by configuring your web server or firewall to require authentication before allowing POST or GET requests to that URL.
Implement general WordPress security hardening: ensure that only trusted administrators have high‑privilege roles, disable unused plugins and AJAX endpoints, and regularly review role capabilities to prevent privilege escalation.

Generated by OpenCVE AI on April 22, 2026 at 17:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-4605	The LTL Freight Quotes – GlobalTranz Edition plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engtz_wd_save_dropship AJAX endpoint in all versions up to, and including, 2.3.12. This makes it possible for unauthenticated attackers to update the drop shipping settings.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00171.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3243002/
https://www.wordfence.com/threat-intel/vulnerabilities/id/0906e9b0-5093-4ddd-8868-8fcaad8e3a5b?source=cve

History

Tue, 25 Feb 2025 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwexgroup Wwexgroup ltl Freight Quotes
CPEs		cpe:2.3:a:wwexgroup:ltl_freight_quotes:::::globaltranz:wordpress::
Vendors & Products		Wwexgroup Wwexgroup ltl Freight Quotes

Thu, 20 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 20 Feb 2025 09:30:00 +0000

Type	Values Removed	Values Added
Description		The LTL Freight Quotes – GlobalTranz Edition plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engtz_wd_save_dropship AJAX endpoint in all versions up to, and including, 2.3.12. This makes it possible for unauthenticated attackers to update the drop shipping settings.
Title		LTL Freight Quotes – GlobalTranz Edition <= 2.3.12 - Missing Authorization to Unauthenticated Settings Update
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/changeset/3243002/ https://www.wordfence.com/threat-intel/vulnerabilities/id/0906e9b0-5093-4ddd-8868-8fcaad8e3a5b?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Wwexgroup Ltl Freight Quotes

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-02-20T09:21:35.504Z

Updated: 2026-04-08T16:34:23.629Z

Reserved: 2025-02-19T21:13:44.386Z

Link: CVE-2025-1483

Vulnrichment

Updated: 2025-02-20T14:29:16.268Z

NVD

Status : Analyzed

Published: 2025-02-20T10:15:12.537

Modified: 2025-02-25T18:59:39.860

Link: CVE-2025-1483

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T18:00:05Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object