CVE-2024-13476
📋 TL;DR
This SQL injection vulnerability in the LTL Freight Quotes WordPress plugin allows unauthenticated attackers to execute arbitrary SQL queries through the 'engtz_wd_save_dropship' AJAX endpoint. Attackers can extract sensitive database information including user credentials, payment details, and other confidential data. All WordPress sites using this plugin version 2.3.11 or earlier are affected.
💻 Affected Systems
- LTL Freight Quotes – GlobalTranz Edition WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, and potential site takeover through credential extraction.
Likely Case
Extraction of sensitive user data, plugin configuration details, and potentially WordPress user credentials.
If Mitigated
Limited information disclosure if database permissions are properly restricted and sensitive data is encrypted.
🎯 Exploit Status
SQL injection via AJAX endpoint requires minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.3.12 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3242457/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'LTL Freight Quotes – GlobalTranz Edition'. 4. Click 'Update Now' if available, or manually update to version 2.3.12+. 5. Verify plugin is active and functioning.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
WordPressRemove or restrict access to the vulnerable 'engtz_wd_save_dropship' AJAX endpoint
Add to theme's functions.php: remove_action('wp_ajax_engtz_wd_save_dropship', 'callback_function'); remove_action('wp_ajax_nopriv_engtz_wd_save_dropship', 'callback_function');
🧯 If You Can't Patch
- Disable or remove the LTL Freight Quotes plugin entirely
- Implement web application firewall (WAF) rules to block SQL injection patterns targeting the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for LTL Freight Quotes version. If version is 2.3.11 or earlier, you are vulnerable.Check Version:
wp plugin list --name='LTL Freight Quotes' --field=version (WP-CLI) or check WordPress admin interfaceVerify Fix Applied:
Verify plugin version shows 2.3.12 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=engtz_wd_save_dropship
- SQL error messages in web server logs
- Multiple rapid requests to AJAX endpoints
Network Indicators:
- SQL injection patterns in HTTP POST parameters
- Unusual database query patterns from web server
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND post_data="*engtz_wd_save_dropship*" AND (post_data="*UNION*" OR post_data="*SELECT*" OR post_data="*INSERT*" OR post_data="*DELETE*")