Description
The LTL Freight Quotes – Freightview Edition, LTL Freight Quotes – Daylight Edition and LTL Freight Quotes – Day & Ross Edition plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the expiry_date parameter in all versions up to, and including, 1.0.11, 2.2.6 and 2.1.10 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-07
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) that can run arbitrary scripts when users visit pages.
Action: Immediate Patch
AI Analysis

Impact

The LTL Freight Quotes suite of WordPress plugins – Freightview Edition (≤ 1.0.11), Daylight Edition (≤ 2.2.6), and Day & Ross Edition (≤ 2.1.10) – is vulnerable to a stored cross‑site scripting flaw triggered via the expiry_date parameter. The flaw arises from insufficient input sanitization and output escaping, allowing an unauthenticated attacker to embed malicious scripts that will execute whenever a user views a page where the payload is stored. While the description does not explicitly state the downstream effects, it is inferred that injected scripts could potentially lead to credential theft, session hijacking, or other malicious actions performed in the context of authenticated users.

Affected Systems

These vulnerabilities affect the enituretechnology WordPress plugins: LTL Freight Quotes – Freightview Edition up to 1.0.11, LTL Freight Quotes – Daylight Edition up to 2.2.6, and LTL Freight Quotes – Day & Ross Edition up to 2.1.10. Administrators who have installed any of these plugin versions are potentially exposed.

Risk and Exploitability

The CVSS score is 7.2, indicating moderate severity, while the EPSS score is below 1 %, implying a low likelihood of exploitation in the wild. The vulnerability is not currently listed in the CISA KEV catalog, but attackers could feasibly target sites with these plugins by sending crafted requests that include malicious payloads in the expiry_date parameter. Since authentication is not required, the attack surface is the public web interface of the plugin. Migrating or disabling the affected plugin or updating mitigates the risk.

Generated by OpenCVE AI on April 28, 2026 at 01:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all LTL Freight Quotes plugins to the latest released versions that apply the XSS fix.
  • If an immediate upgrade is not feasible, modify the plugin source to sanitize and escape the expiry_date input before storing it, and ensure output containing this value is properly escaped using WordPress sanitization functions.
  • Implement a web application firewall rule that blocks or filters requests with script tags or suspicious characters in the expiry_date parameter, or restrict access to the plugin’s configuration pages to trusted administrators.

Generated by OpenCVE AI on April 28, 2026 at 01:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17370 The LTL Freight Quotes – Freightview Edition, LTL Freight Quotes – Daylight Edition and LTL Freight Quotes – Day & Ross Edition plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the expiry_date parameter in all versions up to, and including, 1.0.11, 2.2.6 and 2.1.10 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 09 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 07 Jun 2025 08:30:00 +0000

Type Values Removed Values Added
Description The LTL Freight Quotes – Freightview Edition, LTL Freight Quotes – Daylight Edition and LTL Freight Quotes – Day & Ross Edition plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the expiry_date parameter in all versions up to, and including, 1.0.11, 2.2.6 and 2.1.10 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title LTL Freight Quotes – Freightview Edition <= 1.0.11, LTL Freight Quotes – Daylight Edition <=2.2.6 and LTL Freight Quotes – Day & Ross Edition <= 2.1.10 - Unauthenticated Stored Cross-Site Scripting via `expiry_date` Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:34.061Z

Reserved: 2025-05-28T11:04:02.438Z

Link: CVE-2025-5303

cve-icon Vulnrichment

Updated: 2025-06-09T15:08:25.523Z

cve-icon NVD

Status : Deferred

Published: 2025-06-07T09:15:22.007

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5303

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:30:17Z

Weaknesses