CVE-2024-13477 – This SQL injection vulnerability in the LTL Fre... (How to Fix)

Q: What is the severity of CVE-2024-13477?

CVE-2024-13477 has a CVSS score of 7.5 (HIGH). This SQL injection vulnerability in the LTL Freight Quotes WordPress plugin allows unauthenticated attackers to execute arbitrary SQL queries against the database. All WordPress sites using this plugin version 2.5.8 or earlier are affected, potentially exposing sensitive data like user credentials, payment information, or other database contents.

📋 TL;DR

This SQL injection vulnerability in the LTL Freight Quotes WordPress plugin allows unauthenticated attackers to execute arbitrary SQL queries against the database. All WordPress sites using this plugin version 2.5.8 or earlier are affected, potentially exposing sensitive data like user credentials, payment information, or other database contents.

💻 Affected Systems

Products:

LTL Freight Quotes – Unishippers Edition WordPress Plugin

Versions: All versions up to and including 2.5.8

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the plugin to be installed and active on a WordPress site. No authentication required for exploitation.

📦 What is this software?

Ltl Freight Quotes by Eniture

View all CVEs affecting Ltl Freight Quotes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, or full site takeover via credential extraction and subsequent admin access.

🟠

Likely Case

Extraction of sensitive data from the database including user information, shipping records, and potentially WordPress authentication credentials.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Direct parameter manipulation via HTTP requests to vulnerable endpoints. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 2.5.8

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3237773/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'LTL Freight Quotes – Unishippers Edition'. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify plugin version is above 2.5.8.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

WordPress

Disable the vulnerable plugin until patched version is available

wp plugin deactivate ltl-freight-quotes-unishippers-edition

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns targeting the 'edit_id' parameter
Restrict access to the WordPress admin interface and plugin endpoints using IP whitelisting or authentication requirements

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'LTL Freight Quotes – Unishippers Edition' version 2.5.8 or lower

Check Version:

wp plugin get ltl-freight-quotes-unishippers-edition --field=version

Verify Fix Applied:

Verify plugin version is above 2.5.8 in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in WordPress debug logs
Multiple requests to shipping-rules-save.php with SQL-like patterns in parameters

Network Indicators:

HTTP POST/GET requests to shipping-rules-save.php containing SQL keywords in 'edit_id' parameter

SIEM Query:

source="wordpress.log" AND "shipping-rules-save.php" AND ("SQL" OR "syntax" OR "edit_id")

📊 Metadata

CVE ID: CVE-2024-13477

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.5% exploit probability (65.4th percentile)

Published: February 12, 2025

Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13477, you might also want to check these: