CVE-2026-3646
Received Received - Intake
Missing Authorization in LTL Freight Quotes Plugin Allows Subscription Manipulation

Publication date: 2026-04-08

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that directly processes GET parameters and updates WordPress options. This makes it possible for unauthenticated attackers to modify the plugin's subscription plan settings, effectively downgrading the store from a paid plan to the Trial Plan, changing the store type, and manipulating subscription expiration dates, potentially disabling premium features such as Dropship and Hazardous Material handling.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3646
EUVD
EUVD-2026-20042
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rl_carriers ltl_freight_quotes to 3.3.13 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress has a vulnerability due to missing authorization in its webhook handler. Specifically, a standalone PHP file processes GET parameters without any authentication, authorization, or nonce verification. This allows unauthenticated attackers to modify the plugin's subscription plan settings.

  • Attackers can downgrade the store from a paid plan to the Trial Plan.
  • They can change the store type.
  • They can manipulate subscription expiration dates.

These changes can disable premium features such as Dropship and Hazardous Material handling.

Impact Analysis

This vulnerability can impact you by allowing unauthorized attackers to alter your plugin subscription settings without permission.

  • Your store could be downgraded from a paid plan to a Trial Plan, potentially losing access to paid features.
  • Premium features like Dropship and Hazardous Material handling could be disabled.
  • Subscription expiration dates could be manipulated, affecting service continuity.
Compliance Impact

The vulnerability allows unauthenticated attackers to modify subscription plan settings and disable premium features by exploiting missing authorization in the plugin's webhook handler. However, there is no information provided about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3646. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart